PrepAway - Latest Free Exam Questions & Answers

Which statement is true regarding Transparent mode configuration on Cisco ASA firewall running version 9.x?

Which statement is true regarding Transparent mode configuration on Cisco ASA
firewall running version 9.x?

PrepAway - Latest Free Exam Questions & Answers

A.
Networks connected with the ASA data interfaces must be in different subnets for the
traffic to flow.

B.
Bridge Groups are not supported in Transparent mode.

C.
Default route defined on the ASA is only for the management traffic return path.

D.
You need to make management interface of the ASA as the next-hop for the
connected devices to establish reachability across the ASA.

E.
Management interface does not update the MAC address table.

Explanation:
Transparent Firewall Guidelines
 In transparent firewall mode, the management interface updates the MAC
address table in the same manner as a data interface; therefore you should not
connect both a management and a data interface to the same switch unless you
configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic
arrives on the management interface from the physically-connected switch,
then the ASA updates the MAC address table to use the management interface
to access the switch, instead of the data interface. This action causes a
temporary traffic interruption; the ASA will not re-update the MAC address
table for packets from the switch to the data interface for at least 30 seconds
for security reasons.
 Each directly-connected network must be on the same subnet. Do not specify the bridge group management IP address as the default gateway
for connected devices; devices need to specify the router on the other side of
the ASA as the default gateway.
 The default route for the transparent firewall, which is required to provide a
return path for management traffic, is only applied to management traffic from
one bridge group network. This is because the default route specifies an
interface in the bridge group as well as the router IP address on the bridge
group network, and you can only define one default route. If you have
management traffic from more than one bridge group network, you need to
specify a static route that identifies the network from which you expect
management traffic.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_
91_general_config/intro_fw.html


Leave a Reply