Transparent Firewall in ASA
It is known by default that a standard firewall normally acts as a layer 3 device on which it uses an IP address on each of its defined interface. Apparently, those IP address on the interface can be used to access the firewall administratively. If that information of the interfaces was given to other network admin, it could make the device vulnerable for attack/hack.
The behavior of the firewall by default is in a routed mode and it can be change to address this scenario by converting it to a transparent firewall. The transparent firewall act as a layer 2 device which forward decision using MAC address. It can still analyze stateful inspection, NAT, ACL, Modular Polic y Framework and etc. The downfall for this implementation is that you cannot be able to initiate a vpn session so try to get all the requirement first on your network before proceeding with this.
Transparent firewall operates using the Bridge-group to forward decisions based on MAC address. To manage the device, however, we will be assigning IP address on the BVI (Bridge Virtual Interface).
Let's try to implement transparent firewall with the diagram below. BVI of the firewall will be 192.168.100.100/24 and we will use the bridge group 100 to forward traffic based on MAC address.
When you put your firewall from routed to transparent, it is important to know that all of the configurations will be deleted. So i advice you to back-up all the configuration before doing this.
To convert your firewall to transparent, issue a firewall transparent on the global configuration mode. To verify, use the show firewall command.
We will now create BVI 100 (Bridge Virtual Interface) and assign 192.168.100.100/24 on it for device management.
Note: You can assign any number ranging from 1 - 100.
We then configure the interface on the firewall but instead of assigning an IP Address, we will assign bridge group 100.
Upon completion, we should be able to ping the gateway, 192.168.100.1.
Now you have a working transparent firewall.