Which two statements about ASA transparent mode are true?

Which two statements about ASA transparent mode are true? (Choose two.)

Which two statements about ASA transparent mode are true? (Choose two.)

A.
It drops ARP traffic unless it is permitted.

B.
It does not support NAT.

C.
It requires the inside and outside interface to be in different subnets.

D.
It can pass IPv6 traffic.

E.
It cannot pass multicast traffic.

F.
It supports ARP inspection.

Explanation:
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic,
cannot pass through the security appliance unless you explicitly permit it with an
extended access list. The only traffic allowed through the transparent firewall without
an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.
These features are not supported in transparent mode:
 NAT /PAT
NAT is performed on the upstream router.
 Dynamic routing protocols (such as RIP, EIGRP, OSPF)
You can add static routes for traffic that originates on the security appliance. You can
also allow dynamic routing protocols through the security appliance with an extended
access list.Note: IS-IS is IP protocol 124 (is-is over ipv4). IS-IS transient packets can be allowed
through the transparent mode by the form of an ACL that permits protocol 124. The
transparent mode supports all 255 IP protocols.
 IPv6
 DHCP relay
The transparent firewall can act as a DHCP server, but it does not support the DHCP
relay commands. DHCP relay is not required because you can allow DHCP traffic to pass
through with an extended access list.
 Quality of Service (QOS)
 Multicast
You can allow multicast traffic through the security appliance if you allow it in an
extended access list. In a transparent firewall, access-lists are required to pass the
multicast traffic from higher to lower, as well as from lower to higher security zones. In
normal firewalls, higher to lower security zones are not required.
 VPN termination for through traffic
The transparent firewall supports site-to-site VPN tunnels for management connections
only. It does not terminate VPN connections for traffic through the security appliance.
You can pass VPN traffic through the security appliance with an extended access list, but
it does not terminate non-management connections.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-seriessecurity-appliances/97853-Transparent-firewall.html



Leave a Reply 0

Your email address will not be published. Required fields are marked *