-
Notifications
You must be signed in to change notification settings - Fork 1
Firewall
FeIix edited this page May 10, 2026
·
18 revisions
| ASA Deployment Mode | ASA Interface Mode | Security Context Modes |
|---|---|---|
| Routed | Routed | Single- or Multiple-context |
| Transparent | Switched (BVI) | Single- or Multiple-context |
A multiple-context mode allows a single physical ASA to be partitioned into multiple isolated virtual devices.
61.202.20.2 .------- inside 192.168.0.0/24
INTERNET ----------outside---- ( ASA )
`------- dmz_zone 10.10.0.0/24
- Functioning like a switch
61.202.20.2 192.168.0.0/24 .------ HOSTS .11
INTERNET ----------outside--- ( ROUTER ) ---inside---- ( ASA )
`------ HOSTS .12
| FTD Interface Mode | FTD Deployment Mode | Description | Traffic can be dropped |
|---|---|---|---|
| Routed | Routed | Full LINA engine (firewall) and Snort engine (IPS) | Yes |
| Switched (BVI) | Transparent | Full LINA engine and Snort engine | Yes |
| Inline Pair | Routed or Transparent | Partial LINA engine and full Snort engine | Yes |
| Inline Pair with TAP | Routed or Transparent | Partial LINA engine and full Snort engine | No |
| Passive | Routed or Transparent | Partial LINA engine and full Snort engine | No |
| Passive (ERSPAN) | Routed | Partial LINA engine and full Snort engine | No |
Encapsulated Remote SPAN (ERSPAN) uses GRE to tunnel mirrored traffic across Layer 3 boundaries from remote switches.
- Functioning like a wire
- With TAP, a copy of traffic will be inspected and it's impossible to drop traffic
61.202.20.2 192.168.0.0/24
INTERNET ----------outside--- ( ROUTER ) ---inside---- ( FTD/IPS ) ----inside
- Inspecting a copy of traffic
61.202.20.2 192.168.0.0/24
INTERNET ----------outside--- ( ROUTER ) ---inside---- [ SWITCH ] ----inside
\SPAN
`------ (FTD/IPS)