Table Of Contents
PIX/ASA/FWSM Platform User Interface Reference
NAT Policies
Address Pools Page
Address Pool Dialog Box
Translation Options Page
Translation Rules Page
Translation Exemptions (NAT 0 ACL) Tab
Dynamic Rules Tab
Policy Dynamic Rules Tab
Static Rules Tab
General Tab
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Add/Edit Dynamic Translation Rule Dialog Box
Add/Edit Policy Dynamic Rules Dialog Box
Add/Edit Static Rule Dialog Box
Advanced NAT Options Dialog Box
Select Address Pool Dialog Box
Interfaces Page
Add/Edit Interface Dialog Box
Advanced Interface Settings Dialog Box
Add VPND Group Dialog Box
PPPoE Users Dialog Box
FWSM Interfaces Page
FWSM Add/Edit Interface Dialog Box
Add/Edit Bridge Group Dialog Box
ASA 5505 Ports and Interfaces Page
Configure Hardware Ports Dialog Box
Bridging
ARP Table Page
Add/Edit ARP Table Entry Dialog Box
ARP Inspection Page
Add/Edit ARP Inspection Dialog Box
MAC Address Table Page
Add/Edit MAC Table Entry Dialog Box
MAC Learning Page
Add/Edit MAC Learning Dialog Box
Management IP Page
AAA Page
Authentication Tab
Authorization Tab
Accounting Tab
Banner Page
Boot Image/Configuration Page
Images Dialog Box
Clock Page
Credentials Page
CPU Threshold Page
Device Access
Console Page
HTTP Page
HTTP Configuration Dialog Box
ICMP Page
ICMP Configuration Dialog Box
Management Access Page
Secure Shell Page
SSH Configuration Dialog Box
SNMP Page
SNMP Trap Configuration Dialog Box
Add SNMP Host Access Entry Dialog Box
Telnet Page
Telnet Configuration Dialog Box
Failover Policies
Failover Page (PIX 6.x)
Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Failover Page (FWSM)
Advanced Settings Dialog Box
Edit Failover Interface Configuration Dialog Box (FWSM)
Failover Page (ASA/PIX 7.x)
Settings Dialog Box
Add Failover Group Dialog Box
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
Add Interface MAC Address Dialog Box
Bootstrap Configuration for LAN Failover Dialog Box
Hostname Page
Resources Page
Add/Edit Resource Dialog Box
Server Access
AUS Page
DHCP Relay Page
Configure DHCP Relay Agent Parameters Dialog Box
Configure DHCP Server Parameters Dialog Box
DHCP Server Page
Edit DHCP Server Dialog Box
DHCP Server - Advanced Dialog Box
DNS Page
Add DNS Server Group Dialog Box
Add DNS Server Dialog Box
Edit Interfaces Dialog Box
DDNS Page
NTP Page
NTP Server Configuration Dialog Box
SMTP Server Page
TFTP Server Page
User Accounts Page
Add/Edit User Account Dialog Box
Logging Policies
E-Mail Setup Page
Add/Edit Email Recipient Dialog Box
Event Lists Page
Add/Edit Event List Dialog Box
Add/Edit Syslog Class Dialog Box
Add/Edit Syslog Message ID Filter Dialog Box
Logging Filters Page
Edit Logging Filters Dialog Box
Logging Setup Page
Rate Limit Page
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
Add/Edit Rate Limited Syslog Message Dialog Box
Server Setup Page
Add/Edit Syslog Message Dialog Box
Syslog Servers Page
Add/Edit Syslog Server Dialog Box
Multicast Policies
Enable Multicast Routing Page
IGMP Page
Protocol Tab
Configure IGMP Parameters Dialog Box
Access Group Tab
Configure IGMP Access Group Parameters Dialog Box
Static Group Tab
Configure IGMP Static Group Parameters Dialog Box
Join Group Tab
Configure IGMP Join Group Parameters Dialog Box
Multicast Routing Page
Add/Edit MRoute Configuration Dialog Box
PIM Page
Protocol Tab
Add/Edit PIM Protocol Dialog Box
Rendezvous Points Tab
Add/Edit Rendezvous Point Dialog Box
Add/Edit Multicast Groups Dialog Box
Route Tree Tab
Multicast Group Dialog Box
Request Filter Tab
Multicast Group Dialog Box
Routing Policies
No Proxy ARP Page
Edit Interfaces Dialog Box
OSPF Page
General Tab
OSPF Advanced Dialog Box
Area Tab
Add/Edit Area/Area Networks Dialog Box
Range Tab
Add/Edit Area Range Network Dialog Box
Neighbors Tab
Add/Edit Static Neighbor Dialog Box
Redistribution Tab
Redistribution Dialog Box
Virtual Link Tab
Add/Edit OSPF Virtual Link Configuration Dialog Box
Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box
Filtering Tab
Add/Edit Filtering Dialog Box
Summary Address Tab
Add/Edit Summary Address Dialog Box
Interface Tab
Add/Edit Interface Dialog Box
RIP Page
Add/Edit RIP Configuration Dialog Box
Static Route Page
Add/Edit Static Route Dialog Box
Security Policies
General Page
Add/Edit General Security Configuration Dialog Box
Timeouts Page
Service Policy Rules
Priority Queues Page
Priority Queue Configuration Dialog Box
IPS, QoS, and Connection Rules Page
Insert/Edit Service Policy (MPC) Rule Wizard
Interfaces Selector Dialog Boxes
User Preferences
Deployment Page
Security Contexts Page
Add/Edit Security Context Dialog Box (FWSM)
Add/Edit Security Context Dialog Box (PIX/ASA)
Allocate Interfaces Dialog Box
View Interface Allocation Dialog Box
PIX/ASA/FWSM Platform User Interface Reference
The following topics describe the pages available for configuring policies for PIX Firewalls, Firewall Services Modules, and Adaptive Security Appliances. These pages are primarily organized under the Platform folder for firewall devices in Device view and under the PIX/ASA/FWSM Platform folder for shared policies in Policy view. The pages available in Cisco Security Manager for configuring and managing platform-specific policies on PIX/ASA/FWSM devices are discussed in the following topics:
NAT Policies
•
Address Pools Page
•Translation Options Page
•Translation Rules Page
–Translation Exemptions (NAT 0 ACL) Tab
–Dynamic Rules Tab
–Policy Dynamic Rules Tab
–Static Rules Tab
–General Tab
Interfaces
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
Device Admin Policies
•AAA Page
–Authentication Tab
–Authorization Tab
–Accounting Tab
•Banner Page
•Boot Image/Configuration Page
•Clock Page
•Credentials Page
•CPU Threshold Page
•Device Access
–Console Page
–HTTP Page
–ICMP Page
–Management Access Page
–Secure Shell Page
–SNMP Page
–Telnet Page
•Failover Policies
•Hostname Page
•Resources Page
•Server Access
–AUS Page
–DHCP Relay Page
–DHCP Server Page
–DNS Page
–DDNS Page
–NTP Page
–SMTP Server Page
–TFTP Server Page
•User Accounts Page
Logging Policies
•E-Mail Setup Page
•Event Lists Page
•Logging Filters Page
•Logging Setup Page
•Rate Limit Page
•Server Setup Page
•Syslog Servers Page
Multicast Policies
•Enable Multicast Routing Page
•IGMP Page
–Protocol Tab
–Access Group Tab
–Static Group Tab
–Join Group Tab
•Multicast Routing Page
•PIM Page
–Protocol Tab
–Rendezvous Points Tab
–Route Tree Tab
–Request Filter Tab
Routing Policies
•No Proxy ARP Page
•OSPF Page
–General Tab
–Area Tab
–Range Tab
–Neighbors Tab
–Redistribution Tab
–Virtual Link Tab
–Filtering Tab
–Summary Address Tab
–Interface Tab
•RIP Page
•Static Route Page
Security Policies
•General Page
•Timeouts Page
Service Policy Rules
•Priority Queues Page
•IPS, QoS, and Connection Rules Page
User Preferences
•Deployment Page
Security Contexts Page
NAT Policies
The NAT section consists of the following pages:
•Address Pools Page
•Translation Options Page
•Translation Rules Page
–Translation Exemptions (NAT 0 ACL) Tab
–Dynamic Rules Tab
–Policy Dynamic Rules Tab
–Static Rules Tab
–General Tab
Address Pools Page
Use the Address Pools page to view, define, or delete global address pools used in dynamic NAT rules.
Navigation Path
•(Device view) Select NAT > Address Pools from the Device Policy selector.
•(Policy view) Select NAT (PIX) > Address Pools from the Policy Type selector. Right-click Address Pools to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•NAT Policies
Field Reference
Table L-1 Address Pools Page
Element
|
Description
|
Global Address Pools table
|
Interface
|
Displays the name of the firewall device interface to which the address pool applies.
|
ID
|
Displays the identification number of the address pool.
|
IP Address(es)
|
Displays the type and value of the addresses for the pool.
|
Description
|
Displays the description of the address pool.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Address Pool Dialog Box
Use the Address Pools dialog box to define new or edit existing global address pools used in dynamic NAT rules.
Navigation Path
You can access the Address Pools dialog box from the Address Pools page. For more information about the Address Pools page, see Address Pools Page.
Related Topics
•NAT Policies
•Address Pools Page
Field Reference
Table L-2 Address Pools Dialog Box
Element
|
Description
|
Interface Name
|
Enter the name of the firewall device interface to which the address pool applies.
|
Pool ID
|
Enter the identification number of the address pool. When configuring dynamic NAT, you select the pool ID that represents the addresses you want to use for translation.
|
IP address ranges
|
Enter the addresses to be used for this address pool. You can specify the addresses to use for this pool in the following ways:
•Address range (for example, 192.168.1.1-192.168.1.15)
•Subnetwork (for example, 192.168.1.0/24)
•List of addresses separated by a comma (for example, 192.168.1.1, 192.168.1.2, 192.168.1.3)
•Single address to use for PAT (192.168.1.1)
•Combination of the above (192.168.1.1-192.168.1.15, 192.168.1.25)
|
Description
|
Enter a description for the address pool.
|
Enable Interface PAT
|
When selected, enables port address translation on the specified interface.
|
Translation Options Page
Use the Translation Options page to configure settings that affect network address translation for a security appliance. These settings apply to all interfaces on the device.
Navigation Path
•(Device view) Select NAT > Translation Options from the Device Policy selector.
•(Policy view) Select NAT (PIX) > Translation Options from the Policy Type selector. Right-click Translation Options to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•NAT Policies
Field Reference
Table L-3 Translation Options Page
Element
|
Description
|
Enable traffic through the firewall without address translation
|
When selected, allows traffic to pass through the security appliance without address translation. If this option is not selected, any traffic that does not match a translation rule will be dropped.
Note This option is only available on PIX 7.x, FWSM 3.x, and ASA devices.
|
Do not translate VPN traffic
|
When selected, allows VPN traffic to pass through the security appliance without address translation.
|
Translation Rules Page
Use the Translation Rules page to define your address translation rules. The Translation Rules page consists of the following tabs:
•Translation Exemptions (NAT 0 ACL) Tab
•Dynamic Rules Tab
•Policy Dynamic Rules Tab
•Static Rules Tab
•General Tab
Navigation Path
•(Device view) Select NAT > Translation Rules from the Device Policy selector.
•(Policy view) Select NAT (PIX) > Translation Rules from the Policy Type selector. Right-click Translation Rules to create a policy, or select an existing policy from the Shared Policy selector.
Translation Exemptions (NAT 0 ACL) Tab
Use the Translation Exemptions (NAT 0 ACL) tab to specify traffic that is exempt from address translation.
Note Translation exemptions are only supported by PIX/ASA/FWSM devices in router mode and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
•Translation Rules Page
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Advanced NAT Options Dialog Box
Field Reference
Table L-4 Translation Exemptions (NAT 0 ACL) Tab
Element
|
Description
|
Filter
|
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
|
Default Translation Exemptions (NAT 0 ACL) Rules Table
|
Enabled
|
Indicates whether a rule is enabled or not.
|
Action
|
Displays whether a rule is exempt or not exempt from NAT.
|
Original Interface
|
Displays the interface on which the rule is applied.
|
Original Address
|
Displays the source addresses of the hosts or networks to which the rule applies.
|
Destination
|
Displays the destination addresses of the hosts or networks to which the rule applies.
|
Direction
|
Displays the direction in which the rule is applied.
|
DNS Rewrite
(FWSM only)
|
Displays whether the DNS Rewrite option is enabled or not. The DNS Rewrite option lets the security appliance rewrite the DNS record so that an outside client can resolve the name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
|
Maximum TCP Connection
(FWSM only)
|
Displays the maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid options are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Embryonic Limit
(FWSM only)
|
Displays the number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
|
Maximum UDP Connection
(FWSM only)
|
Displays the maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Randomize Sequence Number
(FWSM only)
|
Displays whether the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Disabling this option opens a security hole in the security appliance. This feature is enabled by default.
|
Category
|
Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
If a description of the rule is available, it is displayed in this column.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Dynamic Rules Tab
Use the Dynamic Rules tab to configure dynamic NAT and PAT.
Note Dynamic translation rules are only supported by PIX/ASA/FWSM devices in router mode and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Dynamic Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
•Add/Edit Dynamic Translation Rule Dialog Box
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Table L-5 Dynamic Rules Tab
Element
|
Description
|
Filter
|
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
|
Dynamic Rules Table
|
Enabled
|
Indicates whether a rule is enabled or not.
|
Original Interface
|
Displays the interface on which the rule is applied.
|
Original Address
|
Displays the source addresses of the hosts or networks to which the rule applies.
|
Translated Pool
|
Displays the ID number of the address pool used for translation.
|
Direction
|
Displays the direction in which the rule is applied.
|
DNS Rewrite
|
Displays whether the DNS Rewrite option is enabled or not. The DNS Rewrite option lets the security appliance rewrite the DNS record so that an outside client can resolve the name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
|
Maximum TCP Connection
|
Displays the maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Embryonic Limit
|
Displays the number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
|
Maximum UDP Connection
|
Displays the maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Randomize Sequence Number
|
Displays whether the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Disabling this option opens a security hole in the security appliance. This feature is enabled by default.
|
Category
|
Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
If a description of the rule is available, it is displayed in this column.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Policy Dynamic Rules Tab
Use the Policy Dynamic Rules tab to configure dynamic translation rules based on source and destination addresses/ports.
Note Policy dynamic rules are only supported by PIX/ASA/FWSM devices in router mode and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Policy Dynamic Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
•Add/Edit Policy Dynamic Rules Dialog Box
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Table L-6 Policy Dynamic Rules Tab
Element
|
Description
|
Filter
|
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
|
Policy Dynamic Rules Table
|
Enabled
|
Indicates whether a rule is enabled or not.
|
Original Interface
|
Displays the interface on which the rule is applied.
|
Original Address
|
Displays the source address of the host or network to which the rule applies.
|
Translated Pool
|
Displays the ID number of the address pool used for translation.
|
Destination
|
Displays the destination addresses of the hosts or networks to which the rule applies.
|
Service
|
Displays the services to which the rule applies.
|
Direction
|
Displays the direction in which the rule is applied.
|
DNS Rewrite
|
Displays whether the DNS Rewrite option is enabled or not. The DNS Rewrite option lets the security appliance rewrite the DNS record so that an outside client can resolve the name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
|
Maximum TCP Connection
|
Displays the maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Embryonic Limit
|
Displays the number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
|
Maximum UDP Connection
|
Displays the maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Randomize Sequence Number
|
Displays whether the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Disabling this option opens a security hole in the security appliance. This feature is enabled by default.
|
Category
|
Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
If a description of the rule is available, it is displayed in this column.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Static Rules Tab
Use the Static Rules tab to configure static translation rules for a firewall device or shared policy.
Navigation Path
You can access the Static Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
•Add/Edit Static Rule Dialog Box
•Advanced NAT Options Dialog Box
Field Reference
Table L-7 Static Rules Tab
Element
|
Description
|
Filter
|
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
|
Original Interface
|
Displays the interface on which the original addresses reside.
|
Original Address
|
Displays the source network on which the traffic to be translated resides.
|
Local Port
|
For static PAT, displays the port number supplied by the host/network.
|
Translated Interface
|
Displays the interface on which the translated addresses reside.
|
Translated Address
|
Displays the translated addresses.
|
Global Port
|
For static PAT, displays the port number to which the original port number will be translated.
|
Destination
|
Displays the destination addresses of the hosts or networks to which the rule applies.
|
Service
|
Displays the service to which the rule applies.
|
Protocol
|
Displays the protocol to which the rule applies.
|
DNS Rewrite
|
Displays whether the DNS Rewrite option is enabled or not. The DNS Rewrite option lets the security appliance rewrite the DNS record so that an outside client can resolve the name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
|
Maximum TCP Connection
|
Displays the maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Embryonic Limit
|
Displays the number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
|
Maximum UDP Connection
|
Displays the maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Timeout
|
For PIX 6.x devices, this column shows the timeout value for a static translation rule. This timeout value overrides the translation timeout specified in Platform > Security > Timeouts. A timeout value of 00:00:00 means that translations matching this rule should use the default translation timeout specified in Platform > Security > Timeouts.
|
Randomize Sequence Number
|
Displays whether the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Disabling this option opens a security hole in the security appliance. This feature is enabled by default.
|
Nailed
|
Indicates whether the rule allows stateless TCP sessions for asymmetrically routed traffic.
|
Category
|
Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
If a description of the rule is available, it is displayed in this column.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
General Tab
Use the General tab to view all translation rules. The translation rules are listed in the order that they will be evaluated on the device.
Note The General tab is only visible for PIX/ASA/FWSM devices in router mode and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules and, therefore, do not need to display the summary information.
Navigation Path
You can access the General tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
Field Reference
Table L-8 General Tab
Element
|
Description
|
Filter
|
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
|
Translation Rules Summary Table
|
Type
|
Displays the translation rule type.
|
Enabled
|
Indicates whether a rule is enabled or not.
|
Action
|
Displays whether a rule is exempt or not exempt from NAT.
|
Original Interface
|
Displays the interface on which the rule is applied.
|
Original Address
|
Displays the source addresses of the hosts or networks to which the rule applies.
|
Local Port
|
For static PAT, displays the port number supplied by the host/network.
|
Translated Pool
|
Displays the ID number of the address pool used for translation.
|
Translated Interface
|
Displays the interface on which the translated addresses reside.
|
Translated Address
|
Displays the translated addresses.
|
Global Port
|
For static PAT, displays the port number to which the original port number will be translated.
|
Destination
|
Displays the destination addresses of the hosts or networks to which the rule applies.
|
Protocol
|
Displays the protocol to which the rule applies.
|
Service
|
Displays the service to which the rule applies.
|
Direction
|
Displays the direction in which the rule is applied.
|
DNS Rewrite
|
Displays whether the DNS Rewrite option is enabled or not. The DNS Rewrite option lets the security appliance rewrite the DNS record so that an outside client can resolve the name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
|
Maximum TCP Connection
|
Displays the maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Embryonic Limit
|
Displays the number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
|
Maximum UDP Connection
|
Displays the maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65535. If this value is set to zero, the number of connections is unlimited.
|
Timeout
|
For PIX 6.x devices, this column shows the timeout value for a static translation rule. This timeout value overrides the translation timeout specified in Platform > Security > Timeouts. A timeout value of 00:00:00 means that translations matching this rule should use the default translation timeout specified in Platform > Security > Timeouts.
|
Randomize Sequence Number
|
Displays whether the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Disabling this option opens a security hole in the security appliance. This feature is enabled by default.
|
Category
|
Displays the category to which the rule is assigned. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
If a description of the rule is available, it is displayed in this column.
|
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to add or edit translation exemption rules.
Navigation Path
You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation Exemptions (NAT 0 ACL) tab. For more information about the Translation Exemptions (NAT 0 ACL) tab, see Translation Exemptions (NAT 0 ACL) Tab.
Related Topics
•NAT Policies
•Translation Rules Page
•Translation Exemptions (NAT 0 ACL) Tab
•Advanced NAT Options Dialog Box
Field Reference
Table L-9 Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Element
|
Description
|
Enable Rule
|
Specify whether the rule is enabled or not.
|
Action
|
Select the action for this rule:
•exempt—The rule identifies traffic that is exempt from NAT.
•do not exempt—The rules identifies traffic that is not exempt from NAT.
|
Original Interface
|
Specify the interface on which the rule is applied.
|
Original Address
|
Specify the source addresses of the hosts or networks to which the rule applies.
|
Translated Direction
|
Select the direction in which the rule is applied.
|
Traffic flow Destinations
|
Specify the destination addresses of the hosts or networks to which the rule applies.
|
Category
|
To assign the rule to a category, select the category from the list. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button
(FWSM only)
|
Click to display the Advanced NAT Options dialog box to configure advanced settings for this rule.
|
Add/Edit Dynamic Translation Rule Dialog Box
Use the Add/Edit Dynamic Translation Rule dialog box to add or edit dynamic NAT and PAT rules.
Navigation Path
You can access the Add/Edit Dynamic Translation Rule dialog box from the Dynamic Rules tab. For more information about the Dynamic Rules tab, see Dynamic Rules Tab.
Related Topics
•NAT Policies
•Translation Rules Page
•Dynamic Rules Tab
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Table L-10 Add/Edit Dynamic Translation Rule Dialog Box
Element
|
Description
|
Enable Rule
|
Specify whether the rule is enabled or not.
|
Original Interface
|
Displays the interface on which the rule is applied.
|
Original Address
|
Displays the source addresses of the hosts or networks to which the rule applies.
|
Translated Pool
|
Displays the ID number of the address pool used for translation.
|
Translated Direction
|
Select the direction in which the rule is applied.
|
Category
|
To assign the rule to a category, select the category from the list. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button
|
Click to display the Advanced NAT Options dialog box to configure advanced settings for this rule.
|
Add/Edit Policy Dynamic Rules Dialog Box
Use the Add/Edit Policy Dynamic Rules dialog box to add or edit dynamic translation rules based on source and destination addresses/ports.
Navigation Path
You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. For more information about the Policy Dynamic Rules tab, see Policy Dynamic Rules Tab.
Related Topics
•NAT Policies
•Translation Rules Page
•Policy Dynamic Rules Tab
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Table L-11 Add/Edit Policy Dynamic Rules Dialog Box
Element
|
Description
|
Enable Rule
|
Specify whether the rule is enabled or not.
|
Original Interface
|
Specify the interface on which the rule is applied.
|
Original Address
|
Specify the source address of the host or network to which the rule applies.
|
Translated Pool
|
Enter the ID number of the address pool used for translation.
|
Translated Direction
|
Select the direction in which the rule is applied.
|
Traffic flow Destinations
|
Specify the destination addresses of the hosts or networks to which the rule applies.
|
Traffic flow Services
|
Specify the services to which the rule applies.
|
Category
|
To assign the rule to a category, select the category from the list. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button
|
Click to display the Advanced NAT Options dialog box to configure advanced settings for this rule.
|
Add/Edit Static Rule Dialog Box
Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or shared policy.
Navigation Path
You can access the Add/Edit Static Rule dialog box from the Static Rules tab. For more information about the Static Rules tab, see Static Rules Tab.
Related Topics
•NAT Policies
•Translation Rules Page
•Static Rules Tab
•Advanced NAT Options Dialog Box
Field Reference
Table L-12 Add/Edit Static Rule Dialog Box
Element
|
Description
|
Enable Rule
|
Specify whether the rule is enabled or not.
|
Translation Type
|
Select the type of translation, NAT or PAT, for this rule.
|
Original Interface
|
Specify the interface on which the original addresses reside.
|
Original Address
|
Specify the source network on which the traffic to be translated resides.
|
Translated Interface
|
Specify the interface on which the translated addresses reside.
|
Translated Address
|
Specify the translated addresses.
|
Enable Policy NAT
|
Select this option to enable policy NAT for this translation rule.
|
Dest Address
|
For policy NAT, specify the destination addresses of the hosts or networks to which the rule applies.
|
Service
|
For policy NAT, specify the services to which the rule applies.
|
Protocol
|
For PAT, select the protocol, TCP or UDP, to which the rule applies.
|
Original Port
|
For PAT, enter the port number to be translated.
|
Translated Port
|
For PAT, enter the port number to which the original port number will be translated.
|
Category
|
To assign the rule to a category, select the category from the list. Categories provide an intermediate level of detail to objects and help you readily identify rules and objects by use of color-coding.
To define categories, select Tools > Policy Object Manager > Category.
Note No commands are generated for the category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button
|
Click to display the Advanced NAT Options dialog box to configure advanced settings for this rule.
|
Advanced NAT Options Dialog Box
Use the Advanced NAT Options dialog box to configure the DNS Rewrite, Maximum Connections, Embryonic Limit, and Randomize Sequence Number settings for NAT and Policy NAT. You can also configure these options for NAT 0 ACL rules on a FWSM.
Navigation Path
You can access the Advanced NAT Options dialog box by clicking the Advanced button when adding or editing a translation rule. See the following topics for more information:
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Add/Edit Dynamic Translation Rule Dialog Box
•Add/Edit Policy Dynamic Rules Dialog Box
•Add/Edit Static Rule Dialog Box
Related Topics
•NAT Policies
•Translation Rules Page
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Add/Edit Dynamic Translation Rule Dialog Box
•Add/Edit Policy Dynamic Rules Dialog Box
•Add/Edit Static Rule Dialog Box
Field Reference
Table L-13 Advanced NAT Options Dialog Box
Element
|
Description
|
Translate the DNS replies that match the translation rule
|
When selected, the security appliance rewrites the DNS record so that an outside client can resolve the name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
|
Max TCP Connections per Rule
|
Enter the maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Max UDP Connections per Rule
|
Enter the maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Max Embryonic Connections
|
Enter the number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
|
Timeout
|
For PIX 6.x devices, enter the timeout value to use for this static translation rule using the format hh:mm:ss. This timeout value overrides the translation timeout specified in Platform > Security > Timeouts. Leave the default value of 00:00:00 if you want translations matching this rule to use the default translation timeout specified in Platform > Security > Timeouts.
|
Randomize Sequence Number
|
When selected, the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Disabling this option opens a security hole in the security appliance. This feature is enabled by default.
|
Select Address Pool Dialog Box
Use the Select Address Pool dialog box to select the address pool to use for a dynamic or policy dynamic translation rule from a list of defined global address pools.
Navigation Path
You can access the Select Address Pool dialog box from the Add/Edit Dynamic Translation Rule Dialog Box when adding or editing a dynamic translation rule or from the Add/Edit Policy Dynamic Rules Dialog Box when adding or editing a policy dynamic translation rule.
Related Topics
•NAT Policies
•Translation Rules Page
•Add/Edit Dynamic Translation Rule Dialog Box
•Add/Edit Policy Dynamic Rules Dialog Box
Field Reference
Table L-14 Select Address Pool Dialog Box
Element
|
Description
|
Pool ID
|
Displays the identification number of the address pool.
|
Interface
|
Displays the name of the firewall device interface to which the address pool applies.
|
IP Address Ranges
|
Displays the type and value of the addresses for the pool.
|
Description
|
Displays the description of the address pool.
|
Selected Row
|
Identifies the selected pool.
|
Interfaces Page
The Interfaces page displays configured interfaces and sub-interfaces. You can add or delete interfaces and sub-interfaces, and also enable communication between interfaces on the same security level. Each firewall device must be configured, and each active interface must be enabled. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.
Transparent firewall mode allows only two interfaces to pass through traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a sub-interface) as a third interface for management traffic.
If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the device type and version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. As such, the fields in the following table might not apply depending on the device you are defining.
Navigation Path
To access this feature, select a firewall device in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Add/Edit Interface Dialog Box
Field Reference
Table L-15 Interfaces Page
Element
|
Description
|
Interfaces Table
|
Interface Type
|
Displays the interface type. This value is derived from the hardware ID setting of the selected interface. Valid options are:
•ethernet
•gigabitethernet
•gb-ethernet
|
Interface Name/Name
|
Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, sub-interfaces are indicated by the interface ID followed by .n, where n is the sub-interface number.
|
IP Address
|
Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.
|
IP Address Type
|
Specifies the method by which the IP address is provided. Valid options are:
•static—Identifies that the IP address is manually defined.
•dhcp—Identifies that the IP address is obtained via a DHCP lease.
•pppoe—Identifies that the IP address is obtained using PPPoE.
|
Interface Role
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Valid options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-114.
|
Hardware ID
|
Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.
For sub-interfaces, this value identifies the physical interface with which the sub-interfaces is associated.
|
Vlan ID
|
For a sub-interface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
If this value is not specified, the column displays native.
|
Enabled
|
Indicates if the interface is enabled, true or false.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled sub-interface. For multiple context mode, if you allocate a physical interface or sub-interface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Security Level
|
Displays the interface security level between 0 and 100.
|
Management Only
|
Indicates if the interface allows traffic to the security appliance or for management purposes only.
|
MTU
|
Displays the MTU. By default, the MTU is 1500.
|
Description
|
Displays a description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.
|
ASR Group
|
Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit Interface Dialog Box
Use the Add/Edit Interface dialog box to add or edit an interface or sub-interface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 15-105 page to assign interfaces to contexts.
If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.
After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as a physical, virtual, logical, or sub-interface:
•Add/Edit Interface Dialog Box (PIX 7.0/ASA)
•Add/Edit Interface Dialog Box (PIX 6.3)
Navigation Path
You can access the Add/Edit Interface dialog box from the Interfaces page. For more information about the Interfaces page, see Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference (PIX 7.0/ASA)
Table L-16 Add/Edit Interface Dialog Box (PIX 7.0/ASA)
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled sub-interface. For multiple context mode, if you allocate a physical interface or sub-interface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Management Only
|
Sets the interface to accept traffic to the security appliance only, and not through traffic.
|
Type
|
Type of interface. Valid values are:
•Interface—Settings represent a physical interface.
•Sub-interface—Settings represent a logical interface attached to the same network as its underlying physical interface.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:
•Inside—Connects to your internal network. Must be most secure interface.
•DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type.
•Outside—Connects to an external network or the Internet. Must be least secure interface.
|
Hardware Port
|
For a physical interface, this value represents a name by which sub-interfaces can associate to the interface. When you add a sub-interface, you can choose any enabled physical interface to which you want to add a sub-interface. If you do not see an interface ID, be sure that the interface is enabled.
Valid values are:
•Ethernet0 to Ethernetn.
•Gb-ethernetn.
Note n = number of network interfaces in the device.
|
Sub-interface ID
|
Sets the sub-interface ID as an integer between 1 and 4294967293. The number of sub-interfaces allowed depends on your platform. You cannot change the ID after you set it.
|
Media Type
|
Specifies the media type for the interface
•RJ45
•SFP
|
IP Type
|
Specifies the address type for the interface.
•Static IP—Assigns a static IP address and mask to the interface.
•Use DHCP—Assigns a dynamic IP address and mask to the interface.
•PPPoE—Provides an authenticated method of assigning an IP address to the interface.
Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.
|
IP Address
|
Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.
•IP address must be unique for each interface.
•The IP address is blank for interfaces that use dynamic addressing.
Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
|
Subnet Mask
|
Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
|
DHCP Learned Route Metric
|
Available only if Use DHCP is selected for IP Type.
|
Obtain default route using DHCP
|
Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.
|
Enable Tracking for DHCP Learned Route
|
Available only if Use DHCP is selected for IP Type.
|
VPDN Group Name
|
Available only if PPPoE is selected for IP Type.
|
PPPoE Learned Route Metric
|
Available only if PPPoE is selected for IP Type.
|
Obtain Default Route using PPPoE
|
Available only if PPPoE is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the PPPoE server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.
|
Enable Tracking for PPPoE Learned Route
|
Available only if PPPoE is selected for IP Type.
|
Duplex
|
Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.
|
Speed
|
Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type.
•10
•100
•1000
•non-negotiable
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.
|
VLAN ID
|
For a sub-interface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1-99.
|
Description
|
Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-114.
|
<Back to top>
Field Reference (PIX 6.3)
Table L-17 Add/Edit Interface Dialog Box (PIX 6.3)
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy.
You must enable a physical interface before any traffic can pass through any enabled sub-interfaces.
|
Type
|
Type of VLAN interface. Valid values are:
•Logical—VLAN is associated with a logical interface.
•Physical—VLAN is on the same network as its underlying hardware interface.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:
•Inside—Connects to your internal network. Must be most secure interface.
•DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network.
•Outside—Connects to an external network or the Internet. Must be least secure interface.
|
Hardware Port
|
When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device.
When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled.
Valid values are:
•ethernet0 to ethernetn.
•gb-ethernetn.
Note n = number of the slot in which the network interface is installed in the device.
|
IP Type
|
Specifies the address type for the interface.
•Static IP—Assigns a static IP address and mask to the interface.
•Use DHCP—Assigns a dynamic IP address and mask to the interface.
•Use PPPoE—Provides an authenticated method of assigning an IP address to the interface.
Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.
|
IP Address
|
Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type.
•IP address must be unique for each interface.
•The IP address is blank for interfaces that use dynamic addressing.
Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list.
|
Subnet Mask
|
Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface.
|
Obtain Default Route using DHCP
|
Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.
|
Retry Count
|
Identifies the number of tries before an error is returned. Valid values are 4-16.
|
Obtain default route using PPPoE
|
Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway.
|
Speed and Duplex
|
Lists the speed options for a physical interface; not applicable to logical interfaces.
•auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card.
•10baset—10-Mbps Ethernet half-duplex.
•10full—10-Mbps Ethernet full-duplex.
•100basetx—100-Mbps Ethernet half-duplex.
•100full—100-Mbps Ethernet full-duplex.
•1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex.
Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.
•1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex.
•1000full nonnegotiate—1000-Mbps Ethernet full-duplex.
•aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface.
•bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface.
Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.
|
Physical VLAN ID
|
For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices.
|
Logical VLAN ID
|
Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1-99.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-114.
|
<Back to top>
Advanced Interface Settings Dialog Box
Navigation Path
You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page or ASA 5505 Ports and Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table L-18 Advanced Interface Settings Dialog Box
Element
|
Description
|
Traffic between interfaces with same security levels
|
Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.
•Disabled—Does not allow communication between interfaces on the same security level.
•Inter-interface—Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device.
•Intra-interface—Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface.
•Both—Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level.
|
PPPoE Users button
|
Click to access the PPPoE Users dialog box.
|
VPDN Groups (PIX and ASA 7.2+)
|
Group Name
|
Displays the group name.
|
PPPoE Username
|
Displays the PPPoE username.
|
PPP Authentication
|
Indicates the PPP Authentication method for this VPDN group:
•PAP
•CHAP
•MSCHAP
|
Add VPND Group Dialog Box
Navigation Path
You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table L-19 Add VPND Group Dialog Box
Element
|
Description
|
Group Name
|
Enter the group name.
|
PPPoE Username
|
Select the PPPoE username.
|
PPP Authentication
|
Select the PPP Authentication method:
•PAP
•CHAP
•MSCHAP
|
PPPoE Users Dialog Box
Navigation Path
You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•Add PPPoE User Dialog Box
Field Reference
Table L-20 PPPoE Users Dialog Box
Element
|
Description
|
PPPoE Users (PIX and ASA 7.2+)
|
Username
|
Displays the PPPoE username.
|
Store in Local Flash
|
Indicates whether this PPPoE user account is to be stored in local flash (True or False).
|
Add PPPoE User Dialog Box
Navigation Path
You can access the Add PPPoE User dialog box from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table L-21 Add PPPoE User Dialog Box
Element
|
Description
|
Username
|
Enter the username.
|
Password
|
Enter the password.
|
Confirm
|
Reenter the password.
|
Store Username and Password in Local Flash
|
Select this checkbox to store the PPPoE user information in flash.
|
FWSM Interfaces Page
The FWSM Interfaces page displays configured interfaces and sub-interfaces. You can add or delete interfaces and sub-interfaces, and also enable communication between interfaces on the same security level. Each firewall device must be configured, and each active interface must be enabled. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.
Transparent firewall mode allows only two interfaces to pass through traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a sub-interface) as a third interface for management traffic.
If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the device type and version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. As such, the fields in the following table might not apply depending on the device you are defining.
Navigation Path
To access this feature, select a firewall device in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•FWSM Add/Edit Interface Dialog Box
•Add/Edit Bridge Group Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Table L-22 FWSM Interfaces Page
Element
|
Description
|
Interfaces Tab
|
Interface Type
|
Displays the interface type. This value is derived from the hardware ID setting of the selected interface. Valid options are:
•ethernet
•gigabitethernet
•gb-ethernet
|
Interface Name
|
Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, sub-interfaces are indicated by the interface ID followed by .n, where n is the sub-interface number.
|
IP Address
|
Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.
|
IP Address Type
|
Specifies the method by which the IP address is provided. Valid options are:
•static—Identifies that the IP address is manually defined.
•dhcp—Identifies that the IP address is obtained via a DHCP lease.
•pppoe—Identifies that the IP address is obtained using PPPoE.
|
Interface Role
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Valid options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-114.
|
Hardware ID
|
Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.
For sub-interfaces, this value identifies the physical interface with which the sub-interfaces is associated.
|
Vlan ID
|
For a sub-interface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
If this value is not specified, the column displays native.
|
Enabled
|
Indicates if the interface is enabled, true or false.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled sub-interface. For multiple context mode, if you allocate a physical interface or sub-interface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Security Level
|
Displays the interface security level between 0 and 100.
|
Management Only
|
Indicates if the interface allows traffic to the security appliance or for management purposes only.
|
MTU
|
Displays the MTU. By default, the MTU is 1500.
|
Description
|
Displays a description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.
|
ASR Group
|
Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.
|
Bridge Groups Tab
|
Bridge Group
|
Shows the name of the bridge group.
|
ID
|
Displays the bridge group ID.
|
Interface A
|
Identifies the first interface that is part of this bridge group.
|
Interface B
|
Identifies the second interface that is part of this bridge group.
|
IP
|
Displays the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
|
Netmask
|
Displays the netmask for the management IP address of this bridge group.
|
Description
|
Displays the description of this bridge group if one was specified.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
FWSM Add/Edit Interface Dialog Box
Use the Add/Edit Interface dialog box to add or edit an interface or sub-interface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 15-105 page to assign interfaces to contexts.
If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.
After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as a physical, virtual, logical, or sub-interface:
Navigation Path
You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see FWSM Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•FWSM Interfaces Page
•Add/Edit Bridge Group Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Table L-23 FWSM Add/Edit Interface Dialog Box
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. You must also set an IP address (for routed mode) and a name before traffic can pass according to your security policy.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Management Only
|
Sets the interface to accept traffic to the security appliance only, and not through traffic.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:
•Inside—Connects to your internal network. Must be most secure interface.
•DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type.
•Outside—Connects to an external network or the Internet. Must be least secure interface.
|
IP Address
|
Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.
•IP address must be unique for each interface.
•The IP address is blank for interfaces that use dynamic addressing.
Note Do not use addresses being used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
|
Subnet Mask
|
Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 64-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.
|
VLAN ID
|
For a subinterface, sets the VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1-99.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-114.
|
ASR Group
|
To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.
|
Add/Edit Bridge Group Dialog Box
Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode.
A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance.
You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.
Navigation Path
You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see FWSM Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•FWSM Interfaces Page
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Table L-24 Add/Edit Bridge Group Dialog Box
Element
|
Description
|
Name
|
Enter a name for this bridge group.
|
ID
|
Enter the bridge group ID as an integer between 1 and 100.
|
Interface A
|
Select the first interface that is part of this bridge group.
|
Interface B
|
Select the second interface that is part of this bridge group.
|
IP Address
|
Enter the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
|
Netmask
|
Network mask for IP address of bridge group. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
|
Description
|
You can enter an optional description for this bridge group.
|
ASA 5505 Ports and Interfaces Page
The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:
•Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.
•Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.
Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Navigation Path
To access this feature, select an ASA 5505 in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•Configure Hardware Ports Dialog Box
•Add/Edit Interface Dialog Box (PIX 7.0/ASA)
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table L-25 ASA 5505 Ports and Interfaces Page
Element
|
Description
|
Hardware Ports Tab
|
Hardware Port
|
Identifies the switch port.
|
Enabled
|
Indicates whether this switch port is enabled or not (Yes or No).
|
Associated VLANs
|
Shows the VLAN or VLANs that are associated with this port.
|
Associated Interface Names
|
Shows the interface name of the VLAN(s) that are associated with this port.
|
Mode
|
Shows the mode for this port:
•Access Port—Port is in access mode.
•Trunk Port—Port is in trunk mode. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.
|
Protected
|
Identifies whether the port is isolated or not (Yes or No). This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
|
Interfaces Tab
|
Name
|
Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, sub-interfaces are indicated by the interface ID followed by .n, where n is the sub-interface number.
|
IP Address Type
|
Specifies the method by which the IP address is provided. Valid options are:
•static—Identifies that the IP address is manually defined.
•dhcp—Identifies that the IP address is obtained via a DHCP lease.
•pppoe—Identifies that the IP address is obtained using PPPoE.
|
IP Address
|
Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.
|
Block Traffic To
|
Displays the interface to which traffic is blocked.
|
Backup Interface
|
Displays the interface that acts as backup for this interface.
|
Interface Role
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Valid options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 8-114.
|
Enabled
|
Indicates if the interface is enabled (Yes or No).
|
Vlan ID
|
Identifies the VLAN ID for this interface.
|
Security Level
|
Displays the interface security level between 0 and 100.
|
Management Only
|
Indicates if the interface allows traffic to the security appliance or for management purposes only.
|
MTU
|
Displays the MTU. By default, the MTU is 1500.
|
Description
|
Displays a description of the interface.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Configure Hardware Ports Dialog Box
Use the Configure Hardware Ports dialog box to configure the switch ports on an ASA 5505 including setting the mode, assigning a switch port to a VLAN, and setting the Protected option.
Caution The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection in the network. Therefore you must ensure that any connection with the adaptive security appliance does not end up in a network loop.
Navigation Path
You can access the Configure Hardware Ports dialog box for an ASA 5505 from the Hardware Ports tab of the ASA 5505 Ports and Interfaces page. For more information about the ASA 5505 Ports and Interfaces page, see ASA 5505 Ports and Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-3
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box (PIX 7.0/ASA)
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table L-26 Configure Hardware Ports Dialog Box
Element
|
Description
|
Enable Hardware Port
|
Select to enable this switch port.
|
Isolated
|
Select this option to prevent the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
|
Hardware Port
|
Select the switch port that you are configuring.
|
Mode
|
Select the mode for this port:
•Access Port—Sets the mode to access mode.
•Trunk Port—Sets the mode to trunk mode using 802.1Q tagging. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.
|
VLAN ID
|
Enter the VLAN ID(s) according to the mode you selected:
•Access Port mode—Enter the VLAN ID to which you want to assign this switch port.
•Trunk Port mode—Enter the VLAN IDs to which you want to assign this switch port, separated by commas.
|
Duplex
|
Lists the duplex options for the port, including Full, Half, or Auto. The Auto setting is the default.
If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
|
Speed
|
Select the speed for the port:
•auto (deafult)
•10
•100
If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
|
Bridging
This section discusses the following pages:
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
ARP Table Page
Use the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.
Navigation Path
•(Device view) Select Platform > Bridging > ARP Table from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table from the Policy Type selector. Right-click ARP Table to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit ARP Table Entry Dialog Box
•Bridging
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
Field Reference
Table L-27 ARP Table Page
Element
|
Description
|
Timeout (seconds)
|
The amount of time, between 60 and 4294967 seconds, before the security appliance rebuilds the ARP table. The default is 14400 seconds.
Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.
Note The timeout applies to the dynamic ARP table, and not the static entries contained in the ARP table.
|
ARP Table
|
Interface
|
The interface to which the host is attached.
|
IP Address
|
The IP address of the host.
|
MAC Address
|
The MAC address of the host.
|
Alias Enabled
|
Indicates whether the security appliance performs proxy ARP for this mapping. If this setting is enabled and the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.
Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit ARP Table Entry Dialog Box
Use the Add/Edit ARP Table Entry dialog box to add a static ARP entry that maps a MAC address to an IP address and identifies the interface through which the host is reached.
Navigation Path
You can access the Add/Edit ARP Table Entry dialog box from the ARP Table page. For more information about the ARP Table page, see ARP Table Page.
Related Topics
•Bridging
•ARP Table Page
Field Reference
Table L-28 Add/Edit ARP Table Entry dialog box
Element
|
Description
|
Interface
|
The name of the interface to which the host network is attached.
|
IP Address
|
The IP address of the host.
|
MAC Address
|
The MAC address of the host; for example, 00e0.1e4e.3d8b.
|
Alias Enabled
|
When selected, enables proxy ARP for this mapping. If the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.
Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.
|
ARP Inspection Page
Use the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.
Navigation Path
•(Device view) Select Platform > Bridging > ARP Inspection from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Inspection from the Policy Type selector. Right-click ARP Inspection to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit ARP Inspection Dialog Box
•Bridging
•ARP Table Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
Field Reference
Table L-29 ARP Inspection Page
Element
|
Description
|
ARP Inspection Table
|
Interface
|
The name of the interface to which the ARP inspection setting applies.
|
ARP Inspection Enabled
|
Indicates whether ARP inspection is enabled on the specified interface.
|
Flood Enabled
|
Indicates whether packets that do not match any element of a static ARP entry should be flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.
Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit ARP Inspection Dialog Box
Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection for a transparent firewall interface.
Navigation Path
You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection page. For more information about the ARP Inspection page, see ARP Inspection Page.
Related Topics
•Bridging
•ARP Inspection Page
Field Reference
Table L-30 Add/Edit ARP Inspection dialog box
Element
|
Description
|
Interface
|
The name of the interface for which you are enabling or disabling ARP inspection.
|
Enable ARP Inspection on this interface
|
When selected, enables ARP inspection on the specified interface.
|
Flood ARP packets
|
When selected, packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.
Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.
|
MAC Address Table Page
Use the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.
Navigation Path
•(Device view) Select Platform > Bridging > MAC Address Table from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Address Table from the Policy Type selector. Right-click MAC Address Table to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MAC Table Entry Dialog Box
•Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Learning Page
•Management IP Page
Field Reference
Table L-31 MAC Address Table Page
Element
|
Description
|
Aging Time (minutes)
|
Sets the number of minutes, between 5 and 720 (12 hours), that a MAC address entry stays in the MAC address table before timing out. 5 minutes is the default.
|
MAC Address Table
|
Interface
|
The interface to which the MAC address is associated.
|
MAC Address
|
The MAC address; for example, 00e0.1e4e.3d8b.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit MAC Table Entry Dialog Box
Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries to the MAC Address table or to modify entries in the MAC Address table.
Navigation Path
You can access the Add/Edit MAC Table Entry dialog box from the MAC Address Table page. For more information about the MAC Address Table page, see MAC Address Table Page.
Related Topics
•Bridging
•MAC Address Table Page
Field Reference
Table L-32 Add/Edit MAC Table Entry dialog box
Element
|
Description
|
Interface
|
The interface to which the MAC address is associated.
|
MAC Address
|
The MAC address; for example, 00e0.1e4e.3d8b.
|
MAC Learning Page
Use the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.
Navigation Path
•(Device view) Select Platform > Bridging > MAC Learning from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MAC Learning Dialog Box
•Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•Management IP Page
Field Reference
Table L-33 MAC Learning Page
Element
|
Description
|
MAC Learning Table
|
Interface
|
The interface to which the MAC learning setting applies.
|
MAC Learning Enabled
|
Indicates whether the security appliance learns MAC addresses from traffic entering the interface.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit MAC Learning Dialog Box
Use the Add/Edit MAC Learning dialog box to enable or disable MAC address learning on an interface.
Navigation Path
You can access the Add/Edit MAC Learning dialog box from the MAC Learning page. For more information about the MAC Learning page, see MAC Learning Page.
Related Topics
•Bridging
•MAC Learning Page
Field Reference
Table L-34 Add/Edit MAC Learning dialog box
Element
|
Description
|
Interface
|
The interface to which the MAC learning setting applies.
|
MAC Learning Enabled
|
When selected, the security appliance learns MAC addresses from traffic entering the interface.
|
Management IP Page
Use the Management IP page to set the management IP address for a security appliance or for a context in transparent firewall mode.
Navigation Path
•(Device view) Select Platform > Bridging > Management IP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > Management IP from the Policy Type selector. Right-click Management IP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
Field Reference
Table L-35 Management IP Page
Element
|
Description
|
Management IP Address
|
The management IP address.
|
Subnet Mask
|
The subnet mask that corresponds to the management IP address.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
AAA Page
This page includes tabs for configuring authentication, authorization, and accounting:
•Authentication Tab
•Authorization Tab
•Accounting Tab
Navigation Path
•(Device view) Select Platform > Device Admin > AAA from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.
Authentication Tab
Use the Authentication tab to enable authentication for administrator access to the security appliance. The Authentication tab also allows you to configure the prompts and messages that a user sees when authenticated by a AAA server.
Navigation Path
You can access the Authentication tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
•Configuring AAA, page 15-31
•Authorization Tab
•Accounting Tab
Field Reference
Table L-36 Authentication Tab
Element
|
Description
|
Require AAA Authentication to allow use of privileged mode commands
|
Enable
|
Forces AAA authentication from a server group before you can access enable mode on the firewall. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears.
|
Server Group
|
Provides a drop-down menu from which you can choose a server group to force AAA authentication.
|
Use LOCAL when server group fails
|
Uses the LOCAL server group if the selected server group fails.
|
Require AAA Authorization for the following types of connections
|
Connection type
|
Specify the connection types that require authorization:
•HTTP—Require AAA authentication when you start an HTTPS connection to the firewall console.
•Serial—Require AAA authentication when you connect to the firewall console via the serial console cable. The firewall prompts you for your username and password before you can enter commands. If the authentication server is offline, wait until the console login request times out. You can then access the console with the firewall username and the enable password.
•SSH—Require AAA authentication when you start a Secure Shell (SSH) connection to the firewall console. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears. This option requests a username and password before the first command line prompt on the SSH console.
•Telnet—Require AAA authentication when you start a Telnet connection to the firewall console. You must authenticate before you can enter a Telnet command.
|
Server Group
|
Specify the server group to use for authorization.
|
Use LOCAL when server group fails
|
Uses the LOCAL server group if the selected server group fails.
|
Authentication Prompts
|
Login Prompt
|
Enter the prompt a user will see when logging in to the security appliance.
|
User Accepted Message
|
Enter the message a user will see when successfully authenticated by the security appliance.
|
User Rejected Message
|
Enter the message a user will see when authentication by the security appliance fails.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Authorization Tab
The Authorization tab allows you to configure authorization for accessing firewall commands.
Navigation Path
You can access the Authorization tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
•Configuring AAA, page 15-31
•Authentication Tab
•Accounting Tab
Field Reference
Table L-37 Authorization Tab
Element
|
Description
|
Enable Authorization for Command Access
|
Requires authorization for accessing firewall commands.
|
Server Group
|
Specify the server group to use for authorization.
|
Use LOCAL when server group fails
|
Uses the LOCAL server group if the selected server group fails.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Accounting Tab
Use the Accounting tab to enable accounting for access to the firewall device and for access to commands on the device.
Navigation Path
You can access the Accounting tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
•Configuring AAA, page 15-31
•Authentication Tab
•Authorization Tab
Field Reference
Table L-38 Accounting Tab
Element
|
Description
|
Require AAA Accounting for privileged commands
|
Enable
|
When selected, enables the generation of accounting records to mark the entry to and exit from privileged mode for administrative access via the console.
|
Server Group
|
Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.
|
Require AAA Accounting for the following types of connections
|
Connection type
|
Specify the connection types that will generate accounting records:
•HTTP—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over HTTP. Valid server group protocols are RADIUS and TACACS+.
•Serial—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions that are established via the serial interface to the console. Valid server group protocols are RADIUS and TACACS+.
•SSH—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over SSH. Valid server group protocols are RADIUS and TACACS+.
•Telnet—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over Telnet. Valid server group protocols are RADIUS and TACACS+.
|
Server Group
|
Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.
|
Require Accounting for command access
|
Enable
|
When selected, enables the generation of accounting records for commands entered by an administrator/user.
|
Server Group
|
Provides a drop-down menu from which you can choose the server or group of RADIUS or TACACS+ servers to which accounting records are sent.
|
Privilege Level
|
Minimum privilege level that must be associated with a command for an accounting record to be generated. The default privilege level is 0.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Banner Page
Use the Banner page to configure message of the day, login, and session banners.
Navigation Path
•(Device view) Select Platform > Device Admin > Banner from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner from the Policy Type selector. Right-click Banner to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Server Access
Field Reference
Table L-39 Banner Page
Element
|
Description
|
Session(exec) Banner
|
Enter text that you want the system to display as a banner before displaying the enable prompt.
Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.
|
Login Banner
|
Enter text that you want the system to display as a banner before the password login prompt when someone accesses the security appliance using Telnet.
Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.
|
Message-of-the-Day (motd) Banner
|
Enter text that you want the system to display as a message-of-the-day banner.
Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Boot Image/Configuration Page
Use the Boot Image/Configuration page to specify which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can also specify the path to the ASDM image file on the security appliance.
Navigation Path
•(Device view) Select Platform > Device Admin > Boot Image/Configuration from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot Image/Configuration from the Policy Type selector. Right-click Boot Image/Configuration to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Boot Image and Configuration Settings, page 15-39
•Images Dialog Box
Field Reference
Table L-40 Boot Image/Configuration Page
Element
|
Description
|
Boot Config Location
|
The configuration file to use when the system is loaded. Use the following syntax:
•disk0:/[path/]filename
Indicates the internal Flash card. You can also use flash instead of disk0; they are aliased.
•disk1:/[path/]filename
Indicates the external Flash card.
•flash:/[path/]filename
|
ASDM Image Location
|
The location of the ASDM software image to be used when ASDM sessions are initiated. Use the following syntax:
•disk0:/[path/]filename
Indicates the internal Flash card. You can also use flash instead of disk0; they are aliased.
•disk1:/[path/]filename
Indicates the external Flash card.
•flash:/[path/]filename
•tftp://[user[:password]@]server[:port]/[path/]filename
|
Boot Images Table
|
No.
|
Identifies the number of the boot image.
|
Images
|
Identifies the path and name of the boot image.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Images Dialog Box
Use the Images dialog box to add a boot image entry to the boot order list.
Navigation Path
You can access the Images dialog box from the Boot Image/Configuration page. For more information about the Boot Image/Configuration page, see Boot Image/Configuration Page.
Related Topics
•Configuring Boot Image and Configuration Settings, page 15-39
•Boot Image/Configuration Page
Field Reference
Table L-41 Images Dialog Box
Element
|
Description
|
Image File
|
Enter the path and name of the image file to add to the boot order list. See the following syntax:
•disk0:/[path/]filename
This option is only available for the ASA platform, and indicates the internal Flash card. You can also use flash instead of disk0; they are aliased.
•disk1:/[path/]filename
This option is only available for the ASA platform, and indicates the external Flash card.
•flash:/[path/]filename
•tftp://[user[:password]@]server[:port]/[path/]filename
|
Clock Page
The Clock page lets you set the date and time for the security appliance. In multiple context mode, set the time in the system configuration only.
To dynamically set the time using an NTP server, see Configuring NTP Settings, page 15-72; time derived from an NTP server overrides any time set manually on the Clock page.
Navigation Path
•(Device view) Select Platform > Device Admin > Clock from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Clock Settings, page 15-40
•Configuring NTP Settings, page 15-72
•NTP Page
Field Reference
Table L-42 Clock Page
Element
|
Description
|
Device Time Zone
|
Select the time zone for the device from the list.
|
Daylight Savings Time (Summer Time)
|
Select whether daylight savings time is used and if so what method is used to specify when daylight savings time applies:
None—Disables daylight savings time on the security appliance.
Set by Date—Select this option to specify the date and time when daylight savings time begins and ends for a specific year. If you use this option, you need to reset the dates every year.
Set Recurring—Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.
|
Set by Date
|
Date (Begin/End)
|
Enter the date on which daylight savings time begins and ends in MMM dd YYYY format (for example, Jul 15 2005). You can also click Calendar to select the date from a calendar.
|
Hour (Begin/End)
|
Select the hour, from 00 to 23, in which daylight savings time begins and the hour in which it ends.
|
Minute (Begin/End)
|
Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.
|
Set Recurring
|
Specify Recurring Time
|
Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.
|
Month (Begin/End)
|
Select the month in which daylight savings time begins and the month in which it ends.
|
Week (Begin/End)
|
Select the week of the month in which daylight savings time begins and the week in which it ends. You can select the numerical value that corresponds to the week, 1 through 5, or you can specify the first or last week in the month by selecting first or last. For example, if the day might fall in the partial fifth week, specify "last".
|
Weekday (Begin/End)
|
Select the day on which daylight savings time begins and the day on which it ends.
|
Hour (Begin/End)
|
Select the hour, from 0 to 23, in which daylight savings time begins and the hour in which it ends.
|
Minute (Begin/End)
|
Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Credentials Page
Use the Credentials page to specify the future contact settings that Security Manager should use when contacting a device. You can also use the Contact Credentials page to change the login password and the enable password on a device.
Navigation Path
•(Device view) Select Platform > Device Admin > Credentials from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Credentials from the Policy Type selector. Right-click Credentials to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Contact Credentials, page 15-42
•User Accounts Page
Field Reference
Table L-43 Contact Credentials Page
Element
|
Description
|
Username
|
Specifies the username for logging in to the device.
|
Password
|
Specifies the password for logging in to the device.
|
Confirm
|
Confirms the password entered in the Password field. The values in the Password and Confirm fields must match before you can save these settings.
|
Privilege Level
|
Specifies the privilege level of the user logging in to the device.
|
Enable Password
|
Specifies the new enable password for the device.
|
Confirm
|
Confirms the password entered in the Enable Password field. The values in the Enable Password and Confirm fields must match before you can save these settings.
|
Telnet/SSH Password
|
Specifies the new login password for the device.
|
Confirm
|
Confirms the password entered in the Telnet/SSH Password field. The values in the Telnet/SSH Password and Confirm fields must match before you can save these settings.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
CPU Threshold Page
Use the CPU Threshold Page to specify the percentage of CPU usage above which you want to receive a notification and the duration that the usage must remain above that threshold before the notification is generated.
Navigation Path
•(Device view) Select Platform > Device Admin > CPU Threshold from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU Threshold from the Policy Type selector. Right-click CPU Threshold to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring SNMP, page 15-50
•SNMP Page
•SNMP Trap Configuration Dialog Box
Field Reference
Table L-44 CPU Threshold Page
Element
|
Description
|
CPU Rising Threshold Percentage
|
Enter the percentage of CPU usage above which you want to receive a notification. If the CPU utilization percentage is equal to or above this value for the duration specified in the CPU Monitoring Period field then a notification will be sent.
|
CPU Monitoring Period (seconds)
|
Enter the number of seconds that the percentage of CPU usage must remain at or above the threshold set in the CPU Rising Threshold Percentage field before a notification is sent.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Device Access
The Device Access section is located under the Device Admin folder in the Policy selector. The following topics describe the pages for Device Access:
•Console Page
•HTTP Page
•ICMP Page
•Management Access Page
•Secure Shell Page
•SNMP Page
•Telnet Page
Console Page
Use the Console page to specify a time period for the management console to remain active. When the time limit you specify is reached, the console shuts down.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Console from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Console from the Policy Type selector. Right-click Console to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
Field Reference
Table L-45 Console Page
Element
|
Description
|
Console Timeout (minutes)
|
Number of minutes a console session can remain idle before the firewall device closes it. Valid values are 0-60 minutes. To prevent a console session from timing out, enter 0.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
HTTP Page
The HTTP page provides a table that specifies the addresses of all the hosts or networks that are allowed access to the firewall device using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.
The HTTP page also displays information about HTTP redirection and HTTPS user certificate requirements for interfaces on the firewall device. You can use this table to change the entries for HTTP redirection and HTTPS user certificate requirements.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Right-click HTTP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
•HTTP Configuration Dialog Box
Field Reference
Table L-46 HTTP Page
Element
|
Description
|
Enable HTTP Server
|
Enables or disables HTTPS access to the firewall device.
|
HTTP Interface Table
|
Interface
|
Lists the interface on the firewall device from which the administrative access to the device manager is allowed.
|
Network
|
Lists the IP address and netmask, separated by a "/", of hosts or networks that are permitted to establish an HTTPS connection with the firewall device.
|
Authentication Certificate
|
Identifies if a user certificate is required to authenticate users who are establishing HTTPS connections.
|
Redirect Port
|
Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. If this column is empty, then HTTP redirect is disabled.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
HTTP Configuration Dialog Box
Use the HTTP Configuration dialog box to add a host or network that will be allowed administrative access to the firewall device manager over HTTPS.
Navigation Path
You can access the HTTP Configuration dialog box from the HTTP page. For more information about the HTTP page, see HTTP Page.
Related Topics
•Device Access
•HTTP Page
Field Reference
Table L-47 HTTP Configuration Dialog Box
Element
|
Description
|
Interface Name
|
Specifies the interface on the firewall device from which administrative access to the firewall device manager is allowed.
|
IP Address/Netmask
|
Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to establish an HTTPS connection with the firewall device.
|
Enable Authentication Certificate
|
Specifies whether user certificate authentication is required to establish an HTTPS connection.
|
Redirect port
|
Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. To disable HTTP redirect, ensure that this field is blank.
|
ICMP Page
The ICMP page provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device. You can use this table to add or change the hosts or networks that are allowed to or prevented from sending ICMP messages to the firewall device.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Right-click ICMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
•ICMP Configuration Dialog Box
Field Reference
Table L-48 ICMP Page
Element
|
Description
|
ICMP Rules Table
|
Interface
|
Lists the interface on the security appliance from which ICMP access is allowed.
|
Action
|
Displays whether ICMP messages are permitted or denied from the specified network or host.
|
Network
|
Lists the IP address and netmask, separated by a "/", of hosts or networks that are allowed or denied access.
|
ICMP Service
|
Lists the type of ICMP message to which the rule applies.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
ICMP Configuration Dialog Box
Use the ICMP Configuration dialog box to add or modify an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device.
Navigation Path
You can access the ICMP Configuration dialog box from the ICMP page. For more information about the ICMP page, see ICMP Page.
Related Topics
•Device Access
•ICMP Page
Field Reference
Table L-49 ICMP Configuration Dialog Box
Element
|
Description
|
Interface
|
Identifies the interface on the firewall device from which ICMP access is allowed.
|
Network
|
Specifies the IP address and netmask, separated by a "/", of the host or network that is allowed or denied access.
|
Action
|
Displays whether ICMP messages are permitted or denied from the specified network or host.
•Permit—Causes ICMP messages from the specified host or network and interface to be allowed.
•Deny—Causes ICMP messages from the specified host or network and interface to be dropped.
|
ICMP Service
|
Specifies the type of ICMP message to which the rule applies.
|
Management Access Page
The Management Access page lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the firewall device. Use this feature if VPN is configured on the firewall device and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the firewall device securely from home using the VPN client.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Right-click Management Access to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
Field Reference
Table L-50 Management Access Page
Element
|
Description
|
Management Access Interface
|
Name of firewall device interface that permits management access connections. You can click Select to select the interface from a list of interface objects.
You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time. Clear the Management Access Interface field to disable management access.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Secure Shell Page
Use the Secure Shell page to configure rules that permit only specific hosts or networks to connect to a firewall device for administrative access using the SSH protocol.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Right-click Secure Shell to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Secure Shell, page 15-49
•Device Access
•SSH Configuration Dialog Box
Field Reference
Table L-51 Secure Shell Page
Element
|
Description
|
Enable Secure Copy Server
|
Select this check box to enable the secure copy server on the security appliance.
|
Allowed SSH Version(s)
|
Restricts the version of SSH accepted by the firewall device. By default, SSH Version 1 and SSH Version 2 connections are accepted.
|
Timeout (minutes)
|
Displays the number of minutes, 1 to 60, the Secure Shell session can remain idle before the firewall device closes it.
|
Secure Shell Access Rule table
|
Interface
|
Displays the name of the firewall device interface that will permit SSH connections.
|
Network
|
Displays the IP address and netmask of each host or network permitted to connect to this security appliance through the specified interface.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
SSH Configuration Dialog Box
Use the SSH Configuration dialog box to add an SSH access rule to the rule table or to edit an SSH access rule.
Navigation Path
You can access the SSH Configuration dialog box from the Secure Shell page. For more information about the Secure Shell page, see Secure Shell Page.
Related Topics
•Configuring Secure Shell, page 15-49
•Device Access
•Secure Shell Page
Field Reference
Table L-52 SSH Configuration Dialog Box
Element
|
Description
|
Interface
|
Specifies the name of the firewall device interface that permits SSH connections.
|
IP Address/Netmask
|
Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to establish an SSH connection with the firewall device.
|
SNMP Page
The SNMP page lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring SNMP, page 15-50
•Device Access
•SNMP Trap Configuration Dialog Box
•Add SNMP Host Access Entry Dialog Box
Field Reference
Table L-53 SNMP Page
Element
|
Description
|
Password (Community String)
|
Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
|
System Administrator Name
|
Enter the name of the firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
|
Location
|
Specify the firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
|
Port (PIX 7.x and ASA only)
|
Specify the port on which incoming requests will be accepted.
|
Configure Traps button
|
Click to open the SNMP Trap Configuration dialog box from which you can configure SNMP trap settings.
|
SNMP Hosts Table
|
Interface
|
Identifies the interface on which the SNMP management station resides.
|
IP Address
|
Identifies the IP address of the SNMP management station.
|
Community String
|
Identifies the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
|
SNMP Version
|
Identifies the version of SNMP set on the management station.
|
Poll/Trap
|
Displays the method for communicating with this management station, poll only, trap only, or both trap and poll.
•Poll—Firewall device waits for a periodic request from the management station.
•Trap—Sends syslog events when they occur.
|
UDP Port
|
Specifies the UDP port for the SNMP host. The default value is 162 for the SNMP host UDP port.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
SNMP Trap Configuration Dialog Box
Use the SNMP Trap Configuration dialog box to configure trap settings.
Traps are different than browsing; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, and syslog event generated.
An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. Firewall devices provide system OID in SNMP event traps & SNMP mib-2.system.sysObjectID.
The SNMP service running on a firewall device performs two different functions:
•Replies to SNMP requests from management stations (also known as SNMP clients).
•Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance.
Cisco firewall devices support 3 types of traps:
•firewall
•generic
•syslog
Navigation Path
You can access the SNMP Trap Configuration dialog box from the SNMP page. For more information about the SNMP page, see SNMP Page.
Related Topics
•Configuring SNMP, page 15-50
•Device Access
•SNMP Page
•Add SNMP Host Access Entry Dialog Box
Field Reference
Table L-54 SNMP Trap Configuration Dialog Box
Element
|
Description
|
Standard SNMP Traps
(PIX 7.x, ASA, and FWSM only)
|
Select the standard SNMP traps you want sent:
•Authentication—Enables authentication standard trap.
•Cold Start—Enables cold start standard trap.
•Link Up—Enables link up standard trap.
•Link Down—Enables link down standard trap.
|
Entity MIB Notifications
(PIX 7.x and ASA only)
|
Select the Entity MIB Notifications that you want to enable:
•FRU Insert—Enables a trap notification when a Field Replaceable Unit (FRU) has been inserted.
•FRU Remove—Enables a trap notification when a Field Replaceable Unit (FRU) has been removed.
•Configuration Change—Enables a trap notification when there has been a hardware change.
|
IPsec Traps
(PIX 7.x and ASA only)
|
Select the IPsec traps that you want to enable:
•Start—Enables a trap when IPsec starts.
•Stop—Enables a trap when IPsec stops.
|
Remote Access Traps
(PIX 7.x and ASA only)
|
Select the Remote Access traps that you want to enable:
•Session Threshold Exceeded—Enables the firewall device send traps when remote access sessions reach the defined limit.
|
Enable Syslog Traps
|
Enables or disables the sending of syslog messages to the SNMP management station.
|
Add SNMP Host Access Entry Dialog Box
Use the Add SNMP Host Access Entry dialog box to add SNMP management stations.
Navigation Path
You can access the Add SNMP Host Access Entry dialog box from the SNMP page. For more information about the SNMP page, see SNMP Page.
Related Topics
•Device Access
•SNMP Page
•SNMP Trap Configuration Dialog Box
Field Reference
Table L-55 Add SNMP Host Access Entry Dialog Box
Element
|
Description
|
Interface Name
|
Select the interface on which the SNMP management station resides. You can click Select to select the interface from a list of interface objects.
|
IP Address
|
Enter the IP address of the SNMP management station. You can click Select to select the IP address from a list of IP address objects.
|
UDP Port
|
Enter the UDP port for the SNMP host. This field allows you to override the default value of 162 for the SNMP host UDP port.
|
Community String
|
Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
|
SNMP Version
|
Select the version of SNMP set on the management station.
|
Server Poll/Trap Specification
|
Specify the method for communicating with this management station, poll only, trap only, or both trap and poll.
•Poll—Firewall device waits for a periodic request from the management station.
•Trap—Sends syslog events when they occur.
|
Telnet Page
Use the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Telnet, page 15-54
•Device Access
•Telnet Configuration Dialog Box
Field Reference
Table L-56 Telnet Page
Element
|
Description
|
Timeout (minutes)
|
Number of minutes Telnet session can remain idle before the firewall device closes it. Values are 1-60 minutes. Default is 5.
|
Telnet Access Table
|
Interface
|
Interface that receives Telnet packets from the client.
|
Network
|
The IP address and network mask of the host or network that can access the Telnet console on the firewall device.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Telnet Configuration Dialog Box
Use the Telnet Configuration dialog box to configure Telnet options for an interface.
Navigation Path
You can access the Telnet Configuration dialog box from the Telnet page. For more information about the Telnet page, see Telnet Page.
Related Topics
•Configuring Telnet, page 15-54
•Device Access
•Telnet Page
Field Reference
Table L-57 Telnet Configuration Dialog Box
Element
|
Description
|
Interface Name
|
Select the interface that receives Telnet packets from the client. You can click Select to select the interface from a list of interface objects.
|
Network
|
Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to access the firewall device's Telnet console through the specified interface. Use a comma to separate entries for multiple networks or hosts. You can click Select to select the networks from a list of network objects.
Note To limit access to a single IP address, use 255.255.255.255 or 32 as the netmask. Do not use the subnetwork mask of the internal network.
|
Failover Policies
This section discusses the pages that you use to configure failover for your firewall devices. The pages that are available for firewall configuration change depending on the type of firewall device you are configuring.
PIX 6.x Firewalls
•Failover Page (PIX 6.x)
–Edit Failover Interface Configuration Dialog Box (PIX 6.x)
–Bootstrap Configuration for LAN Failover Dialog Box
Firewall Services Modules
•Failover Page (FWSM)
–Advanced Settings Dialog Box
–Add Interface MAC Address Dialog Box
–Edit Failover Interface Configuration Dialog Box (FWSM)
–Bootstrap Configuration for LAN Failover Dialog Box
Adaptive Security Appliances and PIX 7.0 Firewalls
•Failover Page (ASA/PIX 7.x)
–Settings Dialog Box
–Add Failover Group Dialog Box
–Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
–Add Interface MAC Address Dialog Box
–Bootstrap Configuration for LAN Failover Dialog Box
Failover Page (PIX 6.x)
Use the Failover page to configure failover settings for a PIX 6.x Firewall.
Navigation Path
To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Failover Policies
•Edit Failover Interface Configuration Dialog Box (PIX 6.x)
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table L-58 Failover Page (PIX 6.x)
Element
|
Description
|
Failover
|
Enable Failover
|
Specifies whether failover is enabled on this device.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.
|
LAN-Based Failover
|
Enable LAN-based failover
|
Specifies whether LAN-based failover is enabled on this device.
|
Interface
|
Allows you to select the interface to use for LAN-based failover.
|
Shared Key
|
Used to encrypt communication between primary and standby devices. Value can be any string.
|
Stateful Failover
|
Enable Stateful Failover
|
Specifies whether stateful failover is enabled on this device.
Note If you enable stateful failover, you must select a fast LAN link from the list, (for example, 100full, 1000full, or 1000sxfull).
|
Enable HTTP Replication
|
Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.
|
Interface
(fast LAN link is required)
|
Allows you to select an interface with a fast LAN link. A dedicated fast LAN link is required in addition to failover cable to support stateful failover.
|
Failover Poll Time
|
Specifies how long failover waits before determining if other devices remain available between primary and standby devices over all network interfaces and failover cable. Values are 3-15 seconds. Default is 15.
|
Failover Interface Table
|
Interface
|
Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.
|
Active IP Address
|
Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.
Tip You can use this IP address with the ping tool to check the status of the active device.
|
Standby IP Address
|
Displays the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on same network as system IP address.
Tip You can use this IP address with the ping tool to check the status of the standby device.
|
Active MAC Address
|
Displays the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Displays the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Edit Row button
|
Click to display the Edit Failover Interface Configuration dialog box.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Use the Edit Failover Interface Configuration dialog box to configure a failover interface for PIX 6.x devices.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (PIX 6.x).
Related Topics
•Failover Policies
•Failover Page (PIX 6.x)
Field Reference
Table L-59 Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Element
|
Description
|
Interface
|
Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.
|
Active IP Address
|
Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.
Tip You can use this IP address with the ping tool to check the status of the active device.
|
Netmask
|
Displays the netmask of the active device.
|
Standby IP Address
|
Specify the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on the same network as the system IP address.
Tip You can use this IP address with the ping tool to check the status of the standby device.
|
Failover MAC Addresses
|
Active MAC Address
|
Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Failover Page (FWSM)
Use the Failover page to configure basic failover settings for FWSMs.
Navigation Path
To access this feature, select a FWSM in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Failover Policies
•Advanced Settings Dialog Box
•Edit Failover Interface Configuration Dialog Box (FWSM)
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table L-60 Failover Page (FWSM)
Element
|
Description
|
Enable Failover
|
Specifies whether failover is enabled on this device.
You must configure the logical LAN failover interface and, optionally, the stateful failover interface.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.
|
Configuration (FWSM 3.x only)
|
Active/Active option
(FWSM 3.x only)
|
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.
To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
|
Active/Standby option
(FWSM 3.x only)
|
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.
When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.
Active/Standby failover is available to security appliances in single mode or multiple mode.
|
Settings button
|
Click to display the Advance Settings dialog box. See Advanced Settings Dialog Box for more information.
|
LAN Failover
|
VLAN
|
VLAN interface you are using for the failover link, for example, VLAN 11.
|
Logical Name
|
The logical name of the interface on the active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Mask that corresponds with active and standby IP addresses.
|
State Failover
|
VLAN
|
VLAN interface you are using for the stateful failover link, for example, VLAN 12.
|
Logical Name
|
The logical name of the interface on active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Mask that corresponds with active and standby IP addresses.
|
Enable HTTP Replication check box
|
Enables stateful failover to copy active HTTP sessions to a standby firewall.
|
Suspend Configuration Synchronization
(FWSM 2.3 only)
|
When selected, configurations between the active and standby device are no longer synchronized.
Note You cannot disable this feature using the Security Manager user interface. To disable this feature after enabling it in Security Manager, issue the no failover suspend-config-sync command directly on the device or by using the FlexConfig feature. For more information on FlexConfigs, see Understanding FlexConfig Policy Objects, page 19-2, page 19-1.
|
Shared Key
(FWSM 3.x only)
|
To encrypt and authenticate the communication between failover peers, specify a shared secret in the Shared Key field for the active unit of an Active/Standby failover pair or on the unit that has failover group 1 in the active state of an Active/Active failover pair. The shared key can be from 1 to 63 characters and can be any combination of numbers, letters, or punctuation.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishin.g the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using FWSM to terminate VPN tunnels.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Advanced Settings Dialog Box
The Advanced Settings dialog box allows you to configure additional failover settings for FWSMs.
Navigation Path
You can access the Advance dialog box from the Failover page. For more information about the Failover page, see Failover Page (FWSM).
Related Topics
•Failover Policies
•Failover Page (FWSM)
•Add Interface MAC Address Dialog Box
Field Reference
Table L-61 Advance Dialog Box
Element
|
Description
|
Interface Policy
|
Number of failed interfaces that triggers failover option
|
When the number of failed monitored interfaces exceeds the value you set with this command, the security appliance fails over. The range is between 1 and 250 failures.
|
Percentage of failed interfaces that triggers failover option
|
When the number of failed monitored interfaces exceeds the percentage you set with this command, the security appliance fails over.
|
Failover Poll Time
|
Unit Failover
|
The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 milliseconds.
|
Unit Hold Time
|
Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the poll time.
|
Monitored Interface
|
The amount of time between polls among interfaces. The range is between 3 and 15 seconds.
|
MAC Address Mapping
|
Physical Interface
|
Specifies the physical interface for which failover virtual MAC addresses are configured.
|
Active MAC Address
|
Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Edit Failover Interface Configuration Dialog Box (FWSM)
Use the Edit Failover Interface Configuration dialog box to configure a failover interface for FWSMs.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (FWSM).
Related Topics
•Failover Policies
•Failover Page (FWSM)
Field Reference
Table L-62 Edit Failover Interface Configuration Dialog Box (FWSM)
Element
|
Description
|
Interface Name
|
Identifies the interface name.
|
Active IP Address
|
Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.
|
Standby IP Address
|
Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.
|
Monitor this interface for failure
|
Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
|
Failover Page (ASA/PIX 7.x)
Use the Failover page to configure basic failover settings for ASAs and PIX 7.x firewalls.
Navigation Path
To access this feature, select an ASA or PIX 7.x firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Failover Policies
•Settings Dialog Box
•Add Failover Group Dialog Box
•Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
•Add Interface MAC Address Dialog Box
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table L-63 Failover Page (ASA/PIX 7.x)
Element
|
Description
|
Enable Failover
|
Specifies whether failover is enabled on this device.
You must configure the logical LAN failover interface and, optionally, the stateful failover interface.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.
|
Configuration
|
Active/Active option
|
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.
To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
|
Active/Standby option
|
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.
When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.
Active/Standby failover is available to security appliances in single mode or multiple mode.
|
Settings button
|
Click to display the Settings dialog box. See Settings Dialog Box for more information.
|
LAN Failover
|
Interface
|
Interface you are using for the failover link.
|
Logical Name
|
The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Netmask that corresponds with active and standby IP addresses.
|
Bootstrap button
|
Click to display the Bootstrap Configuration for LAN Failover dialog box. See Bootstrap Configuration for LAN Failover Dialog Box for more information.
|
State Failover
|
Interface
|
Interface you are using for the stateful failover link.
|
Logical Name
|
The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Netmask that corresponds with active and standby IP addresses.
|
Enable HTTP Replication
|
When selected, enables stateful failover to copy active HTTP sessions to standby firewall.
|
Shared Key
|
Used to encrypt communication between primary and standby devices. Value can be any string.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Settings Dialog Box
The Settings dialog box allows you to define criteria for when failover should occur on an ASAs or PIX 7.x Firewall.
Navigation Path
You can access the Settings dialog box from the Failover page. For more information about the Failover page, see Failover Page (ASA/PIX 7.x).
Related Topics
•Failover Policies
•Failover Page (ASA/PIX 7.x)
•Add Failover Group Dialog Box
•Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
•Add Interface MAC Address Dialog Box
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table L-64 Settings Page
Element
|
Description
|
Interface Policy
|
Number of failed interfaces that triggers failover option
|
When the number of failed monitored interfaces exceeds the value you set with this command, the security appliance fails over. The range is between 1 and 250 failures.
|
Percentage of failed interfaces that triggers failover option
|
When the number of failed monitored interfaces exceeds the percentage you set with this command, the security appliance fails over.
|
Failover Poll Time
|
Unit Failover
|
The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 milliseconds.
|
Unit Hold Time
|
Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the poll time.
|
Monitored Interface
|
The amount of time between polls among interfaces. The range is between 3 and 15 seconds.
|
Failover Groups
|
Group Number
|
Specifies the failover group number. This number is used when assigning contexts to failover groups.
|
Preferred Role
|
Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is selected. You can have both failover groups in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.
|
Preempt Enabled
|
Specifies whether the unit that is the preferred failover device for this failover group should become the active unit after rebooting.
|
Preempt Delay
|
Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.
|
Interface Policy
|
Specifies either the number of monitored interface failures or the percentage of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.
|
Interface Poll Time
|
Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.
|
Replicate HTTP
|
Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.
|
MAC Address
|
Identifies the MAC address of the active interface.
|
MAC Address Mapping
|
Physical Interface
|
Specifies the physical interface for which failover virtual MAC addresses are configured.
|
Active MAC Address
|
Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Monitor Interface Configuration
|
Interface Name
|
Displays the name of the interface.
|
Is Monitored
|
Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
|
Edit Row button
|
Click to display the Edit Failover Interface Configuration dialog box to edit a failover interface configuration.
|
Management IP Address
|
Active
|
Specifies the management IP address of the active device.
|
Netmask
|
Specifies the netmask that corresponds with the active and standby IP addresses.
|
Standby
|
Specifies the management IP address of the standby device.
|
Add Failover Group Dialog Box
Use the Add Failover Group dialog box to define failover groups for an Active/Active failover configuration.
Navigation Path
You can access the Add Failover Group dialog box from the Failover page. For more information about the Failover page, see Failover Page (ASA/PIX 7.x).
