Cisco Security Appliance Command Line Configuration Guide, Version 7.2
Configuring Interface Parameters
Downloads: This chapterpdf (PDF - 390.0KB) The complete bookPDF (PDF - 13.04MB) | Feedback

Configuring Interface Parameters

Table Of Contents

Configuring Interface Parameters

Security Level Overview

Configuring the Interface

Allowing Communication Between Interfaces on the Same Security Level


Configuring Interface Parameters


This chapter describes how to configure each interface and subinterface for a name, security level, and IP address. For single context mode, the procedures in this chapter continue the interface configuration started in Chapter 5, "Configuring Ethernet Settings and Subinterfaces." For multiple context mode, the procedures in Chapter 5, "Configuring Ethernet Settings and Subinterfaces," are performed in the system execution space, while the procedures in this chapter are performed within each security context.


Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, "Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance."


This chapter includes the following sections:

Security Level Overview

Configuring the Interface

Allowing Communication Between Interfaces on the Same Security Level

Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the "Allowing Communication Between Interfaces on the Same Security Level" section for more information.

The level controls the following behavior:

Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.

If you enable communication for same security interfaces (see the "Allowing Communication Between Interfaces on the Same Security Level" section), there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Configuring the Interface

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Before you can complete your configuration and allow traffic through the security appliance, you need to configure an interface name, and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface "inside" and you do not set the security level explicitly, then the security appliance sets the security level to 100.


Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, "Configuring Failover." to configure the failover and state links.


For multiple context mode, follow these guidelines:

Configure the context interfaces from within each context.

You can only configure context interfaces that you already assigned to the context in the system configuration.

The system configuration only lets you configure Ethernet settings and VLANs. The exception is for failover interfaces; do not configure failover interfaces with this procedure. See the Failover chapter for more information.


Note If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.


To configure an interface or subinterface, perform the following steps:


Step 1 To specify the interface you want to configure, enter the following command:

hostname(config)# interface {physical_interface[.subinterface] | mapped_name}

The physical_interface ID includes the type, slot, and port number as type[slot/]port.

The physical interface types include the following:

ethernet

gigabitethernet

For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0.

For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1. For the ASA 5550 adaptive security appliance, for maximum throughput, be sure to balance your traffic over the two interface slots; for example, assign the inside interface to slot 1 and the outside interface to slot 0.

The ASA 5510 and higher adaptive security appliance also includes the following type:

management

The management interface is a Fast Ethernet interface designed for management traffic only, and is specified as management0/0. You can, however, use it for through traffic if desired (see the management-only command). In transparent firewall mode, you can use the management interface in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode.

Append the subinterface ID to the physical interface ID separated by a period (.).

In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.

For example, enter the following command:

hostname(config)# interface gigabitethernet0/1.1

Step 2 To name the interface, enter the following command:

hostname(config-if)# nameif name

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.

Step 3 To set the security level, enter the following command:

hostname(config-if)# security-level number

Where number is an integer between 0 (lowest) and 100 (highest).

Step 4 (Optional) To set an interface to management-only mode, enter the following command:

hostname(config-if)# management-only

The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.


Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the The ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.


Step 5 To set the IP address, enter one of the following commands.

In routed firewall mode, you set the IP address for all interfaces. In transparent firewall mode, you do not set the IP address for each interface, but rather for the whole security appliance or context. The exception is for the Management 0/0 management-only interface, which does not pass through traffic. To set the management IP address for transparent firewall mode, see the "Setting the Management IP Address for a Transparent Firewall" section on page 8-5. To set the IP address of the Management 0/0 interface or subinterface, use one of the following commands.

To set an IPv6 address, see the "Configuring IPv6 on an Interface" section on page 12-3.

For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not supported.

To set the IP address manually, enter the following command:

hostname(config-if)# ip address ip_address [mask] [standby ip_address]

The standby keyword and address is used for failover. See Chapter 14, "Configuring Failover," for more information.

To obtain an IP address from a DHCP server, enter the following command:

hostname(config-if)# ip address dhcp [setroute]

Reenter this command to reset the DHCP lease and request a new lease.

If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.

To obtain an IP address from a PPPoE server, see Chapter 35, "Configuring the PPPoE Client."

Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:

hostname(config-if)# mac-address mac_address [standby mac_address]

The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

For use with failover, set the standby MAC address. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the "How the Security Appliance Classifies Packets" section on page 3-3 for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the "Automatically Assigning MAC Addresses to Context Interfaces" section on page 6-11 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.

For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.

Step 7 To enable the interface, if it is not already enabled, enter the following command:

hostname(config-if)# no shutdown

To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it, even though the context configurations show the interface as enabled.


The following example configures parameters for the physical interface in single mode:

hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown

The following example configures parameters for a subinterface in single mode:

hostname(config)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# mac-address 000C.F142.4CDE standby 020C.F142.4CDE
hostname(config-subif)# no shutdown

The following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:

hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# no shutdown
hostname(config-subif)# context contextA
hostname(config-ctx)# ...
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1

The following example configures parameters in multiple context mode for the context configuration:

hostname/contextA(config)# interface gigabitethernet0/1.1
hostname/contextA(config-if)# nameif inside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0
hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE
hostname/contextA(config-if)# no shutdown

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

You can configure more than 101 communicating interfaces.

If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).

You want traffic to flow freely between all same security interfaces without access lists.


Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the "NAT and Same Security Level Interfaces" section on page 17-13 for more information on NAT and same security level interfaces.


If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

To enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

To disable this setting, use the no form of this command.