EasyManuals Logo
Home>Cisco>Network Hardware>ASA Series

Cisco ASA Series User Manual

Cisco ASA Series
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #142 background imageLoading...
Page #142 background image
1-6
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Transparent or Routed Firewall
Information About the Firewall Mode
MAC Address vs. Route Lookups
When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing
a MAC address lookup instead of a route lookup.
Route lookups, however, are necessary for the following traffic types:
Traffic originating on the ASA—For example, if your syslog server is located on a remote network,
you must use a static route so the ASA can reach that subnet.
Traffic that is at least one hop away from the ASA with NAT enabled—The ASA needs to perform
a route lookup to find the next hop gateway; you need to add a static route on the ASA for the real
host address.
Voice over IP (VoIP) and DNS traffic with inspection enabled, and the endpoint is at least one hop
away from the ASA—For example, if you use the transparent firewall between a CCM and an H.323
gateway, and there is a router between the transparent firewall and the H.323 gateway, then you need
to add a static route on the ASA for the H.323 gateway for successful call completion. If you enable
NAT for the inspected traffic, a static route is required to determine the egress interface for the real
host address that is embedded in the packet. Affected applications include:
CTIQBE
DNS
GTP
H.323
MGCP
RTSP
SIP
Skinny (SCCP)
ARP Inspection
By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by
enabling ARP inspection.
When you enable ARP inspection, the ASA compares the MAC address, IP address, and source interface
in all ARP packets to static entries in the ARP table, and takes the following actions:
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the ASA drops
the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the ASA to
either forward the packet out all interfaces (flood), or to drop the packet.
Note The dedicated management interface, if present, never floods packets even if this parameter
is set to flood.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.

Table of Contents

Other manuals for Cisco ASA Series

Preview: Configuration Guide
Configuration Guide428 pages
Preview: Mount And Connect
Mount And Connect12 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
BrandCisco
ModelASA Series
CategoryNetwork Hardware
LanguageEnglish

Related product manuals