Which two statements about transparent firewall are true? (Choose two)
A. Transparent firewall works at Layer 2
B. It does not support any type of vpn
C. it can have only a management ip address
D. it only support path
E. both interfaces must be configured with private ip addresses
A and C
VPN termination for through traffic
The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the ASA. You can pass VPN traffic through the ASA using an extended access list, but it does not terminate non-management connections. Clientless SSL VPN is also not supported.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_fw.html
AC
someone verify this new AC answers on real test?
answer should be A;C not A;B bcz it support site to site vpn
Transparent Firewalls
Transparent firewalls are known as Bumps in the Wire. They work purely at layer 2 and is not seen as a hop; opposed to layer 3 routed firewalls which decrement TTL. By bridging interfaces the ASA can forward traffic transparently to the end user/device. It is important to remember there are limitations to transparent firewalls in its capabilities and to keep this in mind when designing networks with Cisco ASA firewall. Forwarding is done with destination MAC addresses.
Features that are not supported are:
• QoS
• DHCP relay
○ Cannot be a DHCP server but can pass relay commands with extended ACL
• VPN termination
○ only site-to-site VPN for management is supported.
• Extended ACLs can pass connections.
○ SSL VPN is not supported.
• Dynamic/Multicast Routing
○ Need ACL to pass traffic.
• Dynamic DNS
It is important to be aware that the address assigned to the BVI is the management IP. This address will not be seen by traffic transiting across the ASA. Each bridge group can support four interfaces whilst each context can have eight bridge groups. We will discuss contexts later.
check this forum, based on info from this forum u may have more then IP on transparent mode…
https://community.cisco.com/t5/firewalls/ips-in-transparent-mode/td-p/2081911>
Hello Lcaruso,
Starting on ASA 8.4 on transparent mode you can have more than one Ip as you will be using Bridge-groups, also the managment interface will have it own dedicated Ip address.
The AIP-SSM will be fully fucntional whether you have it on transparent mode or not,
Regards,
Julio
Julio Carvajal
Senior Network Security and Core Specialist
Note Each bridge group requires a management IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For another method of management, see the “Management Interface (ASA 5510 and Higher)” section.
The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.
So C seems to be ok. All the time only management IP.