ASA Firewall Transparent L2
An ASA Firewall is capable of operating at Layer 2 when running in transparent mode. This allows it to be installed into the network with minimal distruption becaue no IP addressing changes are needed on the network. This type of firewall is sometimes called a Layer 2 or “Stealth” Firewall as it does not appear as a hop on the network and therefore is invisible to users, a bump-in-the-wire. Packets are forwarded from one interface on the ASA to another based on their MAC adress. This requires the ASA to mantain a MAC address table so that it knows which hosts exist on each of it’s interfaces. What differs the ASA from a switch is that whilst a switch will flood packets for unknown packets out of all interfaces, the ASA instead will try to discover the destination interface by the following methods:
- ARP Request when the destition IP is located on a directly connected subnet to the ASA.
- Ping Request when the destination IP adress is located on a distant subnet. This allows the ASA to learn either the next-hop routers MAC.