Transparent mode is a Cisco ASA deployment model that allows the ASA to act as a bump in the wire, or a stealth firewall. In this mode, the ASA does not have an IP address on the network, and it does not participate in routing. Instead, it filters traffic between hosts in the same IP subnet using higher-level protocols such as TCP, UDP, and ICMP. Transparent mode is useful when you want to apply security policies without readdressing the network or changing the default gateway of the hosts. Some of the benefits of transparent mode are:
It preserves the original source and destination IP addresses of the packets, which can be useful for logging and auditing purposes.
It simplifies the configuration of the ASA, as you do not need to configure routing protocols, NAT, or DHCP.
It allows the ASA to inspect non-IP traffic, such as ARP, STP, and CDP.
It supports multiple contexts, which can provide logical separation of traffic for different tenants or customers.
Some of the limitations of transparent mode are:
It does not support VPN, dynamic routing, multicast routing, or QoS.
It requires the use of EtherType ACLs to filter non-IP traffic, which can be complex and cumbersome.
It requires the use of bridge groups and bridge domains to define the interfaces and VLANs that belong to the same broadcast domain.
It requires the use of MAC address learning and aging to maintain a MAC address table for each bridge group.
References :=
Some possible references are:
Cisco ASA Series Firewall CLI Configuration Guide, 9.10 - Transparent Firewall Mode
Deploying ASA - Cisco
Cisco ASA 5500-X Series Firewalls - Configuration Guides - Cisco
