Version 4.1 - 5.1.c Firewall modes
This section is pretty straightforward. There are two modes - Routed Mode and Transparent Mode. Routed mode is a Layer 3 device and shows up as a router hop in the network. Transparent mode is a Layer 2 device and is not a routed hop (often called a "bump in the wire"). It connects the same network on its inside and outside interfaces.
The default mode is routed mode. Changing the mode completely clears the running configuration.
firewall transparent - changes the mode to transparent
no firewall transparent - changes the mode to routed
To show which mode the firewall uses, the command "show firewall" will display the firewall mode (routed or transparent).
The command "show mode" will tell you the Security context mode (single or multiple).
In the ASA book, Table 9-1 (page 473) shows the difference between Routed and Transparent firewalls. Most of these make sense if you remember that routed = layer 3 and transparent = layer 2. Some of the less obvious things include :
Transparent firewalls don't participate in routing, but you can still pass routing information through it.
You can also define static routes for traffic originated by the ASA.
Routed mode does not allow passing non-IP traffic. Transparent mode allows IP and non-IP traffic.
Both support static and dynamic NAT/PAT. Only routed supports interface PAT.
Transparent does not support QoS.
Transparent does not participate in multicast, but allows passing multicast traffic through the use of ACLs.
Transparent does not support Dynamic DNS.
Transparent does not support DHCP relay and does not support uRPF.
Transparent supports site-to-site VPN only for management purposes and does not support SSL VPNs.
The two Security context modes are "single" and "multiple." There are three important settings for each context:
+ Context name
+ Location of context's configlet (startup config)
+ Interface allocation
There is an admin context (created when converting to multiple mode) and you must create the user contexts. The number of configurable user contexts depends on the installed activation key. (Can see this in show version.)
Table 8-2 (page 420) in the ASA book covers the differences between Single Mode and Multiple Mode. (For the most part this is very similar to the Nexus 7K contexts.)
Some of the less obvious differences:
Multiple mode does not allow any dynamic routing protocols.
Needs a license to activate more than two (user) security contexts.
Single mode does not allow Active/Active failover. Multiple mode allows Active/Active failover (for different contexts).
Multiple mode does not support : QoS, multicast, threat detection, IPsec VPNs and SSL VPNs.
If you do not have experience with contexts or transparent firewalls, I highly recommend the INE videos. The CCIE Security Advanced Technologies video course covers routed and transparent firewalls and single and multiple contexts. It also shows you how to configure all the variations of modes.
Note that you can have a routed context and a transparent context on the same box. [Each context is like it's own firewall.] They just can't share an interface. One of the ways to get around this is to use subinterfaces. The routed firewall can use interface g0/1.1 and the transparent firewall can use interface g0/1.2 of the same physical interface. You create the subinterfaces and then allocate them to the different contexts.
And that wraps up my review of firewall modes. There's not a lot of areas for tricky questions here. Mostly any questions would be feature based rather than anything else.