Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Configuring Interface Parameters
Downloads: This chapterpdf (PDF - 197.0KB) The complete bookPDF (PDF - 15.34MB) | Feedback

Configuring Interface Parameters

Table Of Contents

Configuring Interface Parameters

Security Level Overview

Configuring the Interface

Allowing Communication Between Interfaces on the Same Security Level


Configuring Interface Parameters


This chapter describes how to configure each interface and subinterface for a name, security, level, and IP address. For single context mode, the procedures in this chapter continue the interface configuration started in Chapter 4, "Configuring Ethernet Settings and Subinterfaces." For multiple context mode, the procedures in Chapter 4, "Configuring Ethernet Settings and Subinterfaces," are performed in the system execution space, while the procedures in this chapter are performed within each security context.

This chapter includes the following sections:

Security Level Overview

Configuring the Interface

Allowing Communication Between Interfaces on the Same Security Level

Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the "Allowing Communication Between Interfaces on the Same Security Level" section for more information.

The level controls the following behavior:

Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.

If you enable communication for same security interfaces (see the "Allowing Communication Between Interfaces on the Same Security Level" section), there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Configuring the Interface

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Before you can complete your configuration and allow traffic through the security appliance, you need to configure an interface name, and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface "inside" and you do not set the security level explicitly, then the security appliance sets the security level to 100.


Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 11, "Configuring Failover." to configure the failover and state links.


For multiple context mode, follow these guidelines:

Configure the context interfaces from within each context.

You can only configure context interfaces that you already assigned to the context in the system configuration.

The system configuration only lets you configure Ethernet settings and VLANs. The exception is for failover interfaces; do not configure failover interfaces with this procedure. See the Failover chapter for more information.


Note If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.


To configure an interface or subinterface, perform the following steps:


Step 1 To specify the interface you want to configure, enter the following command:

hostname(config)# interface {physical_interface[.subinterface] | mapped_name}

The physical_interface ID includes the type, slot, and port number as type[slot/]port.

The physical interface types include the following:

ethernet

gigabitethernet

For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0.

For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1.

The ASA 5500 series adaptive security appliance also includes the following type:

management

The management interface is a Fast Ethernet interface designed for management traffic only, and is specified as management0/0. You can, however, use it for through traffic if desired (see the management-only command). In transparent firewall mode, you can use the management interface in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode.


Note In transparent firewall mode, the management interface updates the MAC address table in the same manner as a data interface; therefore you should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the security appliance updates the MAC address table to use the management interface to access the switch, instead of the data interface. This action causes a temporary traffic interruption; the security appliance will not re-update the MAC address table for packets from the switch to the data interface for at least 30 seconds for security reasons.


Append the subinterface ID to the physical interface ID separated by a period (.).

In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.

For example, enter the following command:

hostname(config)# interface gigabitethernet0/1.1

Step 2 To name the interface, enter the following command:

hostname(config-if)# nameif name

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.

Step 3 To set the security level, enter the following command:

hostname(config-if)# security-level number

Where number is an integer between 0 (lowest) and 100 (highest).

Step 4 To set the IP address or routed mode only, enter one of the following commands.


Note To set an IPv6 address, see the "Configuring IPv6 on an Interface" section on page 9-2.


To set the IP address manually, enter the following command:

hostname(config-if)# ip address ip_address [mask] [standby ip_address]

The standby keyword and address is used for failover. See Chapter 11, "Configuring Failover," for more information.

To obtain an IP address from a DHCP server, enter the following command:

hostname(config-if)# ip address dhcp [setroute]

Reenter this command to reset the DHCP lease and request a new lease.

You cannot set this command at the same time as the ip address command.

If you enable the setroute option, do not configure a default route using the static command.

If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.

Step 5 To set an interface to management-only mode, enter the following command:

hostname(config-if)# management-only

The ASA 5000 series adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.


Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5000 series adaptive security appliance, you can use the dedicated management interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.


Step 6 To enable the interface, if it is not already enabled, enter the following command:

hostname(config-if)# no shutdown

To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it, even though the context configurations show the interface as enabled.


The following example configures parameters for the physical interface in single mode:

hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown

The following example configures parameters for a subinterface in single mode:

hostname(config)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# no shutdown

The following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:

hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# no shutdown
hostname(config-subif)# context contextA
hostname(config-ctx)# ...
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1

The following example configures parameters in multiple context mode for the context configuration:

hostname/contextA(config)# interface gigabitethernet0/1.1
hostname/contextA(config-if)# nameif inside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0
hostname/contextA(config-if)# no shutdown

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

You can configure more than 101 communicating interfaces.

If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).

You want traffic to flow freely between all same security interfaces without access lists.


Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the "NAT and Same Security Level Interfaces" section on page 14-32 for more information on NAT and same security level interfaces.


If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

To enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

To disable this setting, use the no form of this command.