Which two statements about transparent firewall are true?

– by 6

Which two statements about transparent firewall are true? (Choose two)
A. Transparent firewall works at Layer 2
B. It does not support any type of vpn
C. it can have only a management ip address
D. it only support path
E. both interfaces must be configured with private ip addresses

cisco-exams

6 thoughts on “Which two statements about transparent firewall are true?

  2. VPN termination for through traffic

    The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the ASA. You can pass VPN traffic through the ASA using an extended access list, but it does not terminate non-management connections. Clientless SSL VPN is also not supported.
    https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_fw.html

    AC

    Reply

  4. answer should be A;C not A;B bcz it support site to site vpn
    Transparent Firewalls
    Transparent firewalls are known as Bumps in the Wire. They work purely at layer 2 and is not seen as a hop; opposed to layer 3 routed firewalls which decrement TTL. By bridging interfaces the ASA can forward traffic transparently to the end user/device. It is important to remember there are limitations to transparent firewalls in its capabilities and to keep this in mind when designing networks with Cisco ASA firewall. Forwarding is done with destination MAC addresses.

    Features that are not supported are:
    • QoS
    • DHCP relay
    ○ Cannot be a DHCP server but can pass relay      commands with extended ACL
    • VPN termination
    ○  only site-to-site VPN for management is supported.
    • Extended ACLs can pass connections.
    ○ SSL VPN is not supported.
    • Dynamic/Multicast Routing
    ○ Need ACL to pass traffic.
    • Dynamic DNS
    It is important to be aware that the address assigned to the BVI is the management IP. This address will not be seen by traffic transiting across the ASA. Each bridge group can support four interfaces whilst each context can have eight bridge groups. We will discuss contexts later.

    Reply

    1. check this forum, based on info from this forum u may have more then IP on transparent mode…

      https://community.cisco.com/t5/firewalls/ips-in-transparent-mode/td-p/2081911>

      Hello Lcaruso,

      Starting on ASA 8.4 on transparent mode you can have more than one Ip as you will be using Bridge-groups, also the managment interface will have it own dedicated Ip address.

      The AIP-SSM will be fully fucntional whether you have it on transparent mode or not,

      Regards,
      Julio
      Julio Carvajal
      Senior Network Security and Core Specialist

      Reply

      1. Note Each bridge group requires a management IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For another method of management, see the “Management Interface (ASA 5510 and Higher)” section.

        The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

        So C seems to be ok. All the time only management IP.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.