packet flow through Cisco ASA deployed in transparent mode
Citation preview
1. In Transparent mode that ASA finds out the egree interface on
the basis of the Mac-address-table instead of the route-lookup.2.
ASA does perform if it the traffic is generating on the ASA or the
if we have a NAT enable for the Given: When the ASA is working in
the transparent mode then by default ARP are allowed in both the
directions, with the access-list. However if someone want to
control the ARP traffic then that can be done using the ARP
inspection. For the Layer 3 and above traffic which is traversing
from the Lower to higher security zone, we need to put the
access-list on the low security interface. Traffic not supported by
the ASA in transparent mode: CDP packet, IS-IS traffic, Does allow
BPDU, so that it prevents loops when using STP.
Packet flow examples:
Source is located on the higher security zone and destination is
at lower security zone.
user tries to access a destination on the Internet, he send the
packet, Packet makes to the asa,asa adds the entry to is mac
address-table, it then performs all the security checks.
Then the ASA creates a connection for this, assuming destination
mac addres is in the ASA mac-address-table, it wouldthen sends the
packet to the destination(gateway). If the destinations mac is not
known, then it tries to find out that using arp-request and a ping.
this would drop the first packet.
When the server on the outside reponds, it would be allowed
because there exists a connection for that.
