Table Of Contents
PIX/ASA/FWSM Platform User Interface Reference
NAT Policies
Address Pools Page
Address Pool Dialog Box
Translation Options Page
Translation Rules Page
Translation Exemptions (NAT 0 ACL) Tab
Dynamic Rules Tab
Policy Dynamic Rules Tab
Static Rules Tab
General Tab
Advanced NAT Options Dialog Box
Interfaces Page
Add/Edit Interface Dialog Box
Add/Edit Interface Dialog Box (PIX/ASA)
Add/Edit Interface Dialog Box (ASA 5505)
Add/Edit Interface Dialog Box (PIX 6.3)
Advanced Interface Settings Dialog Box
Add VPND Group Dialog Box
PPPoE Users Dialog Box
FWSM Interfaces Page
FWSM Add/Edit Interface Dialog Box
Add/Edit Bridge Group Dialog Box
ASA 5505 Ports and Interfaces Page
Configure Hardware Ports Dialog Box
Bridging
ARP Table Page
Add/Edit ARP Configuration Dialog Box
ARP Inspection Page
Add/Edit ARP Inspection Dialog Box
MAC Address Table Page
Add/Edit MAC Table Entry Dialog Box
MAC Learning Page
Add/Edit MAC Learning Dialog Box
Management IP Page
AAA Page
Authentication Tab
Authorization Tab
Accounting Tab
Banner Page
Boot Image/Configuration Page
Images Dialog Box
Clock Page
Credentials Page
CPU Threshold Page
Device Access
Console Page
HTTP Page
HTTP Configuration Dialog Box
ICMP Page
Add and Edit ICMP Dialog Boxes
Management Access Page
Secure Shell Page
Add and Edit SSH Host Dialog Boxes
SNMP Page
SNMP Trap Configuration Dialog Box
Add SNMP Host Access Entry Dialog Box
Telnet Page
Telnet Configuration Dialog Box
Failover Policies
Failover Page (PIX 6.x)
Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Failover Page (FWSM)
Advanced Settings Dialog Box
Edit Failover Interface Configuration Dialog Box (FWSM)
Failover Page (ASA/PIX 7.x)
Settings Dialog Box
Add Failover Group Dialog Box
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
Add Interface MAC Address Dialog Box
Bootstrap Configuration for LAN Failover Dialog Box
Hostname Page
Resources Page
Add/Edit Resource Dialog Box
Server Access
AUS Page
Add and Edit Auto Update Server Dialog Boxes
DHCP Relay Page
Add and Edit DHCP Relay Agent Configuration Dialog Boxes
Add and Edit DHCP Relay Server Configuration Dialog Boxes
DHCP Server Page
Add/Edit DHCP Server Interface Configuration Dialog Boxes
Add/Edit DHCP Server Advanced Configuration Dialog Box
DNS Page
Add DNS Server Group Dialog Box
Add DNS Server Dialog Box
Edit Interfaces Dialog Box
DDNS Page
Add/Edit DDNS Interface Rule Dialog Box
NTP Page
NTP Server Configuration Dialog Box
SMTP Server Page
TFTP Server Page
User Accounts Page
Add/Edit User Account Dialog Box
Logging Policies
NetFlow Page
Add and Edit Collector Dialog Boxes (NetFlow)
E-Mail Setup Page
Add/Edit Email Recipient Dialog Box
Event Lists Page
Message Classes and Associated Message ID Numbers
Add/Edit Event List Dialog Box
Logging Filters Page
Edit Logging Filters Dialog Box
Logging Setup Page
Rate Limit Page
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
Add/Edit Rate Limited Syslog Message Dialog Box
Server Setup Page
Logging Levels
Add/Edit Syslog Message Dialog Box
Syslog Servers Page
Add/Edit Syslog Server Dialog Box
Multicast Policies
Enable Multicast Routing Page
IGMP Page
Protocol Tab
Configure IGMP Parameters Dialog Box
Access Group Tab
Configure IGMP Access Group Parameters Dialog Box
Static Group Tab
Configure IGMP Static Group Parameters Dialog Box
Join Group Tab
Configure IGMP Join Group Parameters Dialog Box
Multicast Routing Page
Add/Edit MRoute Configuration Dialog Box
Multicast Boundary Filter Page
Add/Edit MBoundary Configuration Dialog Box
PIM Page
Protocol Tab
Add/Edit PIM Protocol Dialog Box
Neighbor Filter Tab
Bidirectional Neighbor Filter Tab
Rendezvous Points Tab
Add/Edit Rendezvous Point Dialog Box
Add/Edit Multicast Groups Dialog Box
Route Tree Tab
Multicast Group Dialog Box
Request Filter Tab
Multicast Group Dialog Box
Routing Policies
No Proxy ARP Page
Edit Interfaces Dialog Box
OSPF Page
General Tab
Area Tab
Range Tab
Neighbors Tab
Redistribution Tab
Virtual Link Tab
Filtering Tab
Summary Address Tab
Interface Tab
RIP Page
RIP Page for PIX/ASA 6.3-7.1 and FWSM
RIP Page for PIX/ASA 7.2 and Later
Static Route Page
Add/Edit Static Route Dialog Box
Security Policies
General Page
Add/Edit General Security Configuration Dialog Box
Timeouts Page
Service Policy Rules
Priority Queues Page
Priority Queue Configuration Dialog Box
IPS, QoS, and Connection Rules Page
Insert/Edit Service Policy (MPC) Rule Wizard
Interfaces Selector Dialog Boxes
User Preferences
Deployment Page
Security Contexts Page
Add/Edit Security Context Dialog Box (FWSM)
Add/Edit Security Context Dialog Box (PIX/ASA)
Allocate Interfaces Dialog Box (PIX/ASA only)
View Interface Allocation Dialog Box (PIX/ASA only)
PIX/ASA/FWSM Platform User Interface Reference
The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs).
These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration.
NAT Policies
•
Address Pools Page
•Translation Options Page
•Translation Rules Page
–Translation Exemptions (NAT 0 ACL) Tab
–Dynamic Rules Tab
–Policy Dynamic Rules Tab
–Static Rules Tab
–General Tab
Interfaces
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
Platform
•Bridging
–ARP Table Page
–ARP Inspection Page
–MAC Address Table Page
–MAC Learning Page
–Management IP Page
•Device Admin
–AAA Page
–Authentication Tab
–Authorization Tab
–Accounting Tab
–Banner Page
–Boot Image/Configuration Page
–Clock Page
–Credentials Page
–CPU Threshold Page
–Device Access
–Console Page
–HTTP Page
–ICMP Page
–Management Access Page
–Secure Shell Page
–SNMP Page
–Telnet Page
–Failover Policies
–Hostname Page
–Resources Page
–Server Access
–AUS Page
–DHCP Relay Page
–DHCP Server Page
–DNS Page
–DDNS Page
–NTP Page
–SMTP Server Page
–TFTP Server Page
–User Accounts Page
•Logging Policies
–NetFlow Page
–Syslog
–E-Mail Setup Page
–Event Lists Page
–Logging Filters Page
–Logging Setup Page
–Rate Limit Page
–Server Setup Page
–Syslog Servers Page
•Multicast Policies
–Enable Multicast Routing Page
–IGMP Page
–Protocol Tab
–Access Group Tab
–Static Group Tab
–Join Group Tab
–Multicast Routing Page
–Multicast Boundary Filter Page
–PIM Page
–Protocol Tab
–Neighbor Filter Tab
–Bidirectional Neighbor Filter Tab
–Rendezvous Points Tab
–Route Tree Tab
–Request Filter Tab
•Routing Policies
–No Proxy ARP Page
–OSPF Page
–General Tab
–Area Tab
–Range Tab
–Neighbors Tab
–Redistribution Tab
–Virtual Link Tab
–Filtering Tab
–Summary Address Tab
–Interface Tab
–RIP Page
–Static Route Page
•Security Policies
–General Page
–Timeouts Page
•Service Policy Rules
–Priority Queues Page
–IPS, QoS, and Connection Rules Page
•User Preferences
–Deployment Page
Security Contexts Page
NAT Policies
The NAT section consists of the following pages:
•Address Pools Page
•Translation Options Page
•Translation Rules Page
–Translation Exemptions (NAT 0 ACL) Tab
–Dynamic Rules Tab
–Policy Dynamic Rules Tab
–Static Rules Tab
–General Tab
Address Pools Page
Use the Address Pools page to view and manage the global address pools used in dynamic NAT rules.
Navigation Path
•(Device view) Select NAT > Address Pools from the Device Policy selector.
•(Policy view) Select NAT (PIX/ASA/FWSM) > Address Pools from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Address Pools to create a new policy.
Related Topics
•NAT Policies
•Address Pool Dialog Box
Field Reference
Table K-1 Address Pools Page
Element
|
Description
|
Global Address Pools table
|
Interface
|
The name of the device interface to which the address pool applies.
|
ID
|
The identification number of the address pool.
|
IP Address(es)
|
The IP addresses assigned to the pool.
|
Description
|
The description assigned to the address pool.
|
Add button
|
Opens the Address Pool Dialog Box so you can define a new address pool for a specific interface.
|
Edit button
|
Opens the Address Pool Dialog Box so you can edit the selected address pool.
|
Delete button
|
Deletes the selected entry in the Global Address Pools table. A confirmation dialog box may appear; click OK to delete the entry.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Address Pool Dialog Box
Use the Address Pool dialog box to add or edit a global address pool for use in dynamic NAT rules.
Navigation Path
You open the Address Pool dialog box by clicking the Add Row or Edit Row buttons on the Address Pools Page.
Related Topics
•NAT Policies
•Address Pools Page
Field Reference
Table K-2 Address Pools Dialog Box
Element
|
Description
|
Interface Name
|
Enter or Select the name of the device interface on which the mapped IP addresses will be used.
|
Pool ID
|
Enter a unique identification number for this address pool, an integer between 1 and 2147483647. When configuring a dynamic NAT rule, you select a Pool ID to specify the pool of addresses to be used for translation.
|
IP address ranges
|
Enter or Select the addresses to be assigned to this address pool. You can specify these addresses as follows:
•Address range for dynamic NAT (e.g., 192.168.1.1-192.168.1.15)
•Subnetwork (e.g., 192.168.1.0/24)
•List of addresses separated by commas (e.g., 192.168.1.1, 192.168.1.2, 192.168.1.3)
•Single address to use for PAT (192.168.1.1)
•Combinations of the above (192.168.1.1-192.168.1.15, 192.168.1.25)
•Names of hosts on the connected network; these will be resolved to IP addresses.
|
Description
|
Enter a description for the address pool.
|
Enable Interface PAT
|
When checked, port address translation is enabled on the specified interface.
|
Translation Options Page
Use the Translation Options page to set options that affect network address translation for the selected security appliance. These settings apply to all interfaces on the device.
Navigation Path
•(Device view) Select NAT > Translation Options from the Device Policy selector.
•(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Options to create a new policy.
Related Topics
•NAT Policies
•Configuring Translation Options, page 15-20
Field Reference
Table K-3 Translation Options Page
Element
|
Description
|
Enable traffic through the firewall without address translation
|
When selected, lets traffic pass through the security appliance without address translation. If this option is not selected, any traffic that does not match a translation rule will be dropped.
Note This option is available only on PIX 7.x, FWSM 3.x, and ASA devices.
|
Enable xlate bypass
|
When selected, NAT sessions for untranslated traffic are disabled (this feature is called "xlate bypass"). See Configuring Translation Options, page 15-20 for more information.
Note This option is available only on FWSM 3.2 and higher.
|
Do not translate VPN traffic
|
When selected, lets VPN traffic pass through the security appliance without address translation.
|
Translation Rules Page
Use the Translation Rules page to define address translation rules on the selected device. The Translation Rules page consists of the following tabs:
•Translation Exemptions (NAT 0 ACL) Tab
•Dynamic Rules Tab
•Policy Dynamic Rules Tab
•Static Rules Tab
•General Tab
Navigation Path
•(Device view) Select NAT > Translation Rules from the Device Policy selector.
•(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create a new policy.
Translation Exemptions (NAT 0 ACL) Tab
Use the Translation Exemptions (NAT 0 ACL) tab of the Translation Rules page to view and specify traffic that is exempt from address translation.
Note Translation exemptions are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
•Translation Rules Page
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Advanced NAT Options Dialog Box
•General Tab
Field Reference
Note The following table describes standard Translation Exemption elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.
Table K-4 Translation Exemptions (NAT 0 ACL) Tab
Element
|
Description
|
Filter
|
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Exemptions Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.
|
Translation Exemptions (NAT 0 ACL) Rules Table
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box for information about enabling and disabling these rules.)
|
No.
|
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.
|
Action
|
Indicates whether the rule is exempt or not exempt from NAT.
|
Original Interface
|
The ID of the device interface to which the rule is applied.
|
Original Address
|
The object names or IP addresses of the source hosts and networks to which the rule applies.
|
Destination
|
The object names or IP addresses of the destination hosts and networks to which the rule applies.
|
Direction
|
The traffic direction (Inbound or Outbound) to which the rule is applied.
|
Category
|
The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.
To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
The description of the rule, if provided.
|
Find/Replace button
|
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Translation Exemptions Rules table. See Find and Replace Page, page I-123 for more information about using this feature.
|
Up Row
|
Moves the selected entry one row higher in the table.
|
Down Row
|
Moves the selected entry one row lower in the table.
|
Add Row
|
Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box; lets you define a new translation exemption rule.
|
Edit Row
|
Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box; lets you edit the rule currently selected in the Translation Exemptions Rules table.
|
Delete Row
|
Deletes the selected entry from the Translation Exemptions Rules table. A confirmation dialog box may appear; click OK to delete the entry.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to define and edit translation exemption rules.
Navigation Path
You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation Exemptions (NAT 0 ACL) tab. See Translation Exemptions (NAT 0 ACL) Tab for more information.
Related Topics
•NAT Policies
•Translation Rules Page
•Translation Exemptions (NAT 0 ACL) Tab
•Advanced NAT Options Dialog Box
Field Reference
Table K-5 Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Element
|
Description
|
Enable Rule
|
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.
|
Action
|
Select the action for this rule:
•exempt - The rule identifies traffic that is exempt from NAT.
•do not exempt - The rule identifies traffic that is not exempt from NAT.
|
Original: Interface
|
Enter the name of (or Select) the device interface to which the rule applies.
|
Original: Sources
|
Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.
|
Translated: Direction
|
The rule can be applied to Inbound or Outbound traffic, as specified with this option.
|
Traffic flow: Destinations
|
Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas.
|
Category
|
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.
To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button (FWSM only)
|
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.
|
Dynamic Rules Tab
Use the Dynamic Rules tab of the Translation Rules page to view and configure dynamic NAT and PAT rules.
Note Dynamic translation rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Dynamic Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.
Related Topics
•NAT Policies
•Add/Edit Dynamic Translation Rule Dialog Box
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
•General Tab
Field Reference
Note The following table describes standard Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.
Table K-6 Dynamic Rules Tab
Element
|
Description
|
Filter
|
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.
|
Dynamic Rules Table
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box for information about enabling and disabling these rules.)
|
No.
|
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.
|
Original Interface
|
The ID of the device interface to which the rule is applied.
|
Original Address
|
The object names or IP addresses of the source hosts and networks to which the rule applies.
|
Translated Pool
|
The ID number of the pool of addresses used for translation.
|
Direction
|
The traffic direction (Inbound or Outbound) to which the rule is applied.
|
Category
|
The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.
To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
The description of the rule, if provided.
|
Find/Replace button
|
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Dynamic Rules table. See Find and Replace Page, page I-123 for more information about using this feature.
|
Up Row
|
Moves the selected entry one row higher in the table.
|
Down Row
|
Moves the selected entry one row lower in the table.
|
Add Row
|
Opens the Add/Edit Dynamic Translation Rule Dialog Box; lets you define a new dynamic translation rule.
|
Edit Row
|
Opens the Add/Edit Dynamic Translation Rule Dialog Box; lets you edit the rule currently selected in the Dynamic Rules table.
|
Delete Row
|
Deletes the selected entry from the Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit Dynamic Translation Rule Dialog Box
Use the Add/Edit Dynamic Translation Rule dialog box to define and edit dynamic NAT and PAT rules.
Navigation Path
You can access the Add/Edit Dynamic Translation Rule dialog box from the Dynamic Rules tab. See Dynamic Rules Tab for more information.
Related Topics
•NAT Policies
•Translation Rules Page
•Dynamic Rules Tab
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Table K-7 Add/Edit Dynamic Translation Rule Dialog Box
Element
|
Description
|
Enable Rule
|
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.
|
Original: Interface
|
Enter the name or Select the device interface to which the rule applies.
|
Original: Address
|
Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.
|
Translated: Pool
|
Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box.
Enter a value of zero to specify this as an identity NAT rule.
|
Translated: Direction
|
The rule can be applied to Inbound or Outbound traffic, as specified with this option.
|
Category
|
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.
To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
Enter a description for the rule.
|
Advanced button
|
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.
|
Select Address Pool Dialog Box
The Select Address Pool dialog box presents a list of global address pools; these pools are defined and managed via the Address Pools Page. Use this dialog box to select an address pool for use by a dynamic translation rule, or a policy dynamic translation rule.
Navigation Path
You can access the Select Address Pool dialog box from the Add/Edit Dynamic Translation Rule Dialog Box when adding or editing a dynamic translation rule, or from the Add/Edit Policy Dynamic Rules Dialog Box when adding or editing a policy dynamic translation rule.
Related Topics
•NAT Policies
•Translation Rules Page
•Address Pools Page
Field Reference
Table K-8 Select Address Pool Dialog Box
Element
|
Description
|
Pool ID
|
The identification number of the address pool.
|
Interface
|
The name of the device interface to which the address pool applies.
|
IP Address Ranges
|
The IP addresses assigned to the pool; "interface" in this list indicates PAT is enabled on the specified Interface.
|
Description
|
The description provided for the address pool.
|
Selected Row
|
This field identifies the pool currently selected in the list. When you click OK to close the dialog box, this pool is assigned to the translation rule.
|
Policy Dynamic Rules Tab
Use the Policy Dynamic Rules tab of the Translation Rules page to view and configure dynamic translation rules based on source and destination addresses and services.
Note Policy dynamic rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Policy Dynamic Rules tab from the Translation Rules page. See Translation Rules Page for more information.
Related Topics
•NAT Policies
•Add/Edit Policy Dynamic Rules Dialog Box
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
•General Tab
Field Reference
Note The following table describes standard Policy Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.
Table K-9 Policy Dynamic Rules Tab
Element
|
Description
|
Filter
|
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Policy Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.
|
Policy Dynamic Rules Table
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Policy Dynamic Rules Dialog Box for information about enabling and disabling these rules.)
|
No.
|
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.
|
Original Interface
|
The ID of the device interface to which the rule is applied.
|
Original Address
|
The object names or IP addresses of the source hosts and networks to which the rule applies.
|
Translated Pool
|
The ID number of the pool of addresses used for translation.
|
Destination
|
The object names and IP addresses of the destination hosts and networks to which the rule applies.
|
Service
|
The services to which the rule applies.
|
Direction
|
The traffic direction (Inbound or Outbound) to which the rule is applied.
|
Category
|
The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.
To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 9-4 for more information.
Note No commands are generated for the category attribute.
|
Description
|
The description of the rule, if provided.
|
Find/Replace button
|
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Policy Dynamic Rules table. See Find and Replace Page, page I-123 for more information about using this feature.
|
Up Row
|
Moves the selected entry one row higher in the table.
|
Down Row
|
Moves the selected entry one row lower in the table.
|
Add Row
|
Opens the Add/Edit Policy Dynamic Rules Dialog Box; lets you define a new policy dynamic translation rule.
|
Edit Row
|
Opens the Add/Edit Policy Dynamic Rules Dialog Box; lets you edit the rule currently selected in the Policy Dynamic Rules table.
|
Delete Row
|
Deletes the selected entry from the Policy Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit Policy Dynamic Rules Dialog Box
Use the Add/Edit Policy Dynamic Rules dialog box to define and edit dynamic translation rules based on source and destination addresses and services.
Navigation Path
You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. See Policy Dynamic Rules Tab for more information.
Related Topics
•NAT Policies
•Translation Rules Page
•Policy Dynamic Rules Tab
•Advanced NAT Options Dialog Box
•Select Address Pool Dialog Box
Field Reference
Table K-10 Add/Edit Policy Dynamic Rules Dialog Box
Element
|
Description
|
Enable Rule
|
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.
|
Original: Interface
|
Enter the name of (or Select) the device interface to which the rule applies.
|
Original: Address
|
Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.
|
Translated: Pool
|
Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box.
Enter a value of zero to specify this as an identity NAT rule.
|
Translated: Direction
|
The rule can be applied to Inbound or Outbound traffic, as specified with this option.
|
Traffic flow: Destinations
|
Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas.
|
Traffic flow: Services
|
Enter (or Select) the services to which the rule applies. Multiple entries must be separated by commas.
|
Category
|
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.
To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button
|
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.
|
Static Rules Tab
Use the Static Rules tab of the Translation Rules page to view and configure static translation rules for a security appliance or shared policy.
Caution The order of Static NAT rules on a security device is important, and Security Manager preserves this ordering during deployment. However, security appliances do not support in-line editing of Static NAT rules. This means that if you move, edit, or insert a rule anywhere above the end of the list, Security Manager will remove from the device all Static NAT rules that follow the new or modified rule, and then re-send the updated list from that point. Depending on the length of the list, this can require substantial overhead, and may result in traffic interruption. Whenever possible, add any new Static NAT rules to the end of the list.
Navigation Path
You can access the Static Rules tab from the Translation Rules page. See Translation Rules Page for more information.
Related Topics
•NAT Policies
•Add/Edit Static Rule Dialog Box
•Advanced NAT Options Dialog Box
•General Tab
Field Reference
Note The following table describes standard Static Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.
Table K-11 Static Rules Tab
Element
|
Description
|
Filter
|
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Static Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.
|
Static Rules Table
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Static Rule Dialog Box for information about enabling and disabling these rules.)
|
No.
|
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule, but do not change the rule order unless absolutely necessary.
|
Original Interface
|
The ID of the device interface to which the rule is applied.
|
Original Address
|
The object names or IP addresses of the source hosts and networks to which the rule applies.
|
Local Port
|
The port number supplied by the host or network (for static PAT).
|
Translated Interface
|
The interface on which the translated addresses are to be used.
|
Translated Address
|
The translated addresses.
|
Global Port
|
The port number to which the original port number will be translated (for static PAT).
|
Destination
|
The object names and IP addresses of the destination hosts or networks to which the rule applies.
|
Service
|
The services to which the rule applies.
|
Protocol
|
The protocol to which the rule applies.
|
Nailed
|
Whether TCP state tracking and sequence checking is skipped for the connection: true or false. (This value is a product of device discovery; it cannot be changed in Security Manager.)
|
Category
|
The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects.
To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
The description of the rule, if provided.
|
Find/Replace button
|
Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Static Rules table. See Find and Replace Page, page I-123 for more information about using this feature.
|
Up Row
|
Moves the selected entry one row higher in the table.
|
Down Row
|
Moves the selected entry one row lower in the table.
|
Add Row
|
Opens the Add/Edit Static Rule Dialog Box; lets you define a new static rule.
|
Edit Row
|
Opens the Add/Edit Static Rule Dialog Box; lets you edit the rule currently selected in the Static Rules table.
|
Delete Row
|
Deletes the selected entry from the Static Rules table. A confirmation dialog box may appear; click OK to delete the entry.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit Static Rule Dialog Box
Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or shared policy.
Navigation Path
You can access the Add/Edit Static Rule dialog box from the Static Rules tab. See the Static Rules Tab for more information.
Related Topics
•NAT Policies
•Translation Rules Page
•Static Rules Tab
•Advanced NAT Options Dialog Box
Field Reference
Table K-12 Add/Edit Static Rule Dialog Box
Element
|
Description
|
Enable Rule
|
If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.
|
Translation Type
|
Select the type of translation for this rule: NAT or PAT.
|
Original Interface
|
Enter (or Select) the device interface connected to the host or network with original addresses to be translated.
|
Original Address
|
Enter (or Select) the source address to be translated.
|
Translated Interface
|
Enter (or Select) the interface on which the translated addresses are to be used.
To specify this as an identity NAT rule, enter the same interface in both this and the Original Interface fields.
|
Use Interface IP/Use Selected Address
|
Specify the address used for the Translated Interface: select Use Interface IP (address), or select Use Selected Address and enter an address, or Select a network/host object.
|
Enable Policy NAT
|
Select this option to enable Policy NAT for this translation rule.
|
Dest Address
|
If Policy NAT is enabled, specify the destination addresses of the hosts or networks to which the rule applies.
|
Services
|
If Policy NAT is enabled, specify the services to which the rule applies.
|
Protocol
|
If PAT is the selected Translation Type, select the protocol, TCP or UDP, to which the rule applies.
|
Original Port
|
If PAT is the selected Translation Type, enter the port number to be translated.
|
Translated Port
|
If PAT is the selected Translation Type, enter the port number to which the original port number will be translated.
|
Category
|
To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.
To define categories, select Tools > Policy Object Manager > Category. See Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
Enter a description of the rule.
|
Advanced button
|
Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.
|
General Tab
Use the General tab of the Translation Rules page to view all current translation rules. The translation rules are listed in the order that they will be evaluated on the device.
Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules and do not need to display summary information.
Navigation Path
You can access the General tab from the Translation Rules page. See Translation Rules Page for more information.
Related Topics
•NAT Policies
•Translation Exemptions (NAT 0 ACL) Tab
•Dynamic Rules Tab
•Policy Dynamic Rules Tab
•Static Rules Tab
Field Reference
Table K-13 General Tab
Element
|
Description
|
Filter
|
Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Rules Summary table. For more information about using the filtering bar, see Filtering Tables, page 3-17.
|
Translation Rules Summary Table
|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box for information about enabling and disabling these rules.)
|
No.
|
Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list.
|
Type
|
The type of translation rule; for example, Static, Dynamic, Exemption, and so on.
|
Action
|
Displays "exempt" if the rule is exempt from NAT.
|
Original Interface
|
The ID of the device interface to which the rule is applied.
|
Original Address
|
The object names or IP addresses of the source hosts and networks to which the rule applies.
|
Local Port
|
The port number supplied by the host or network (for static PAT).
|
Translated Pool
|
The ID number of the address pool used for translation.
|
Translated Interface
|
The interface on which the translated addresses are to be used.
|
Translated Address
|
The translated addresses.
|
Global Port
|
The port number to which the original port number will be translated (for static PAT).
|
Destination
|
The object names and IP addresses of the destination hosts or networks to which the rule applies.
|
Protocol
|
The protocol to which the rule applies.
|
Service
|
The services to which the rule applies.
|
Direction
|
The traffic direction (Inbound or Outbound) on which the rule is applied.
|
DNS Rewrite
|
Whether the DNS Rewrite option is enabled: Yes or No. This option is set in the Advanced NAT Options Dialog Box.
|
Maximum TCP Connections
|
The maximum number of TCP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box.
|
Embryonic Limit
|
The number of embryonic connections allowed to form before the security appliance begins to deny these connections. If zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
This option is set in the Advanced NAT Options Dialog Box.
|
Maximum UDP Connections
|
The maximum number of UDP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box.
|
Timeout
|
For PIX 6.x devices, this is the timeout value for a static translation rule. This value overrides the default translation timeout specified in Platform > Security > Timeouts. A Timeout value of 00:00:00 here means that translations matching this rule should use the default translation timeout specified in Platform > Security > Timeouts.
|
Randomize Sequence Number
|
Whether the security appliance will randomize the sequence number of TCP packets: Yes or No. This option is set in the Advanced NAT Options Dialog Box, and is enabled by default.
|
Category
|
The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects.
To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Using Category Objects, page 9-4 for more information.
Note No commands are generated for the Category attribute.
|
Description
|
The description of the rule, if provided.
|
Advanced NAT Options Dialog Box
Use the Advanced NAT Options dialog box to configure the advanced connection settings—DNS Rewrite, Maximum TCP and Maximum UDP Connections, Embryonic Limit, Timeout (PIX 6.x), and Randomize Sequence Number—for NAT and Policy NAT. You can also configure these options for Translation Exemption (NAT 0 ACL) rules on an FWSM.
Navigation Path
You can access the Advanced NAT Options dialog box by clicking the Advanced button when adding or editing a translation rule. See the following topics for more information:
•Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
•Add/Edit Dynamic Translation Rule Dialog Box
•Add/Edit Policy Dynamic Rules Dialog Box
•Add/Edit Static Rule Dialog Box
Related Topics
•NAT Policies
•Translation Rules Page
Field Reference
Table K-14 Advanced NAT Options Dialog Box
Element
|
Description
|
Translate the DNS replies that match the translation rule
|
If checked, the security appliance rewrites DNS replies so an outside client can resolve the name of an inside host using an inside DNS server, and vice versa. For instance, if your NAT rule includes the real address of a host with an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host: one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client.
As an example, assume an inside web server, www.example.com, has the IP address 192.168.1.1, which is translated to 10.1.1.1 on the outside interface of the appliance. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
Note that the mapped host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with a static rule.
|
Max TCP Connections per Rule
|
Enter the maximum number of TCP connections allowed; valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Max UDP Connections per Rule
|
Enter the maximum number of UDP connections allowed; valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
|
Max Embryonic Connections
|
Enter the number of embryonic connections allowed to form before the security appliance begins to deny these connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set this limit to prevent attack by a flood of embryonic connections. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
Any positive value enables the TCP Intercept feature. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP Intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server.
|
Timeout
|
For PIX 6.x devices, enter a timeout value for this translation rule, in the format hh:mm:ss. This value overrides the default translation timeout specified in Platform > Security > Timeouts, unless this value is 00:00:00, in which case translations matching this rule use the default translation timeout (specified in Platform > Security > Timeouts).
|
Randomize Sequence Number
|
If checked, the security appliance randomizes the sequence numbers of TCP packets. Each TCP connection has two Initial Sequence Numbers (ISNs): one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session.
Disable this feature only if:
•Another in-line security appliance is also randomizing initial sequence numbers and data is being scrambled.
•You are using eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.
•You are using a WAAS device which requires that the security appliance not randomize the sequence numbers of connections.
Disabling this option opens a security hole in the security appliance.
|
Interfaces Page
The Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them.
Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.
If you bootstrapped a new firewall device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the selected device type and version, the operational mode (routed vs. transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring.
Navigation Path
To access the Interfaces page, select a firewall device in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Using the Add/Edit Interface Dialog Box, page 15-6
Field Reference
Table K-15 Interfaces Page
Element
|
Description
|
Interfaces Table
|
Interface Type
|
The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are:
•Ethernet
•GigabitEthernet
•TenGigabitEthernet (ASA 5580 only)
•Redundant
|
Name
|
The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.
|
IP Address
|
The IP address of the interface, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.
|
IP Address Type
|
The method by which the IP address is provided. Valid options are:
•static - The IP address is manually defined.
•dhcp - The IP address is obtained via a DHCP lease.
•pppoe - The IP address is obtained using PPPoE.
|
Interface Role
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Valid options include:
•All-Interfaces - The interface is a member of the default role assigned to all interfaces.
•Internal - This interface is a member of the default role associated with all inside interfaces.
•External - This interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
Hardware Port
|
Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.
For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated.
|
Enabled
|
Indicates if the interface is enabled: true or false.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
VLAN ID
|
For a subinterface, this is the VLAN ID, an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration.
If this value is not specified, the column displays native.
|
Security Level
|
The interface security level; a value between 0 and 100.
|
Management Only
|
Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false.
|
MTU
|
The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is 1500.
|
Member
|
Indicates whether this interface is a member of a redundant interface pair: true or false.
|
Description
|
A description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.
|
ASR Group
|
If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit Interface Dialog Box
Use the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 15-4 for more information about redundant interfaces.
You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.
In multiple-context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 15-84 page for information about assigning interfaces to contexts.
If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.
After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information:
•Add/Edit Interface Dialog Box (PIX/ASA)
•Add/Edit Interface Dialog Box (ASA 5505)
•Add/Edit Interface Dialog Box (PIX 6.3)
Navigation Path
You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Add/Edit Interface Dialog Box (PIX/ASA)
The Add/Edit Interface dialog box is used to define and configure interfaces.
Table K-16 Add/Edit Interface Dialog Box (PIX/ASA)
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Management Only
|
Sets the interface to accept traffic to the security appliance only, and not through traffic.
|
Redundant Interface
|
Select this option to define a "redundant interface." When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear.
See About Redundant Interfaces, page 15-4 for more information.
|
Type
|
Type of interface. Valid values are:
•Interface - Settings represent a physical interface.
•Subinterface - Settings represent a logical interface attached to the same network as its underlying physical interface.
Note This option is not available when Redundant Interface is selected.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:
•Inside - Connects to your internal network. Must be most secure interface.
•DMZ - Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type.
•Outside - Connects to an external network or the Internet. Must be least secure interface.
Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface.
|
Hardware Port
|
For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface.
Valid values are:
•Ethernet0 to Ethernetn
•GigabitEthernet0 to GigabitEthernetn
•GigabitEthernets/n
•TenGigabitEthernets/n (ASA 5580 only)
where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device.
For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled.
Note This option is not visible when Redundant Interface is selected.
|
Subinterface ID
|
Sets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform.
Note You cannot change the ID after you set it.
|
Media Type
|
When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface:
•RJ45 - Port uses RJ-45 connectors.
•SFP - Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards.
|
Redundant ID
|
Available only if Redundant Interface is checked. Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8.
|
Primary Interface
|
Available only if Redundant Interface is checked. Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.
Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces.
|
Secondary Interface
|
Available only if Redundant Interface is checked. Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.
Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces.
|
IP Type
|
Specifies the address type for the interface.
•Static IP - Assigns a static IP address and mask to the interface.
•Use DHCP - Assigns a dynamic IP address and mask to the interface.
•PPPoE - Provides an authenticated method of assigning an IP address to the interface.
Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.
|
IP Address
|
Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.
•IP address must be unique for each interface.
•The IP address is blank for interfaces that use dynamic addressing.
Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
|
Subnet Mask
|
Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
|
DHCP Learned Route Metric
|
Available only if Use DHCP is selected for IP Type.
|
Obtain default route using DHCP
|
Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.
|
Enable Tracking for DHCP Learned Route
|
Available only if Use DHCP is selected for IP Type.
|
VPDN Group Name
|
Available only if PPPoE is selected for IP Type.
|
PPPoE Learned Route Metric
|
Available only if PPPoE is selected for IP Type.
|
Obtain Default Route using PPPoE
|
Available only if PPPoE is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the PPPoE server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.
|
Enable Tracking for PPPoE Learned Route
|
Available only if PPPoE is selected for IP Type.
|
VLAN ID
|
For a subinterface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
|
Duplex
|
Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.
For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full.
Note This option is not visible when Redundant Interface is selected.
|
Speed
|
Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type.
•10
•100
•1000
•10000 (set automatically for a TenGigabitEthernet interface; available only on ASA 5580)
•non-negotiable
Note This option is not visible when Redundant Interface is selected.
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300 - 65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.
|
Description
|
Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1-99.
|
Active MAC Address
|
Use this field to manually assign a private MAC address to the interface.
MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses.
|
Standby MAC Address
|
You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces - Indicates the interface is a member of the default role assigned to all interfaces.
•Internal - Indicates this interface is a member of the default role associated with all inside interfaces.
•External - Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
Add/Edit Interface Dialog Box (ASA 5505)
The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page.
Table K-17 Add/Edit Interface Dialog Box (ASA 5505)
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.
|
Management Only
|
Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications.
Supported interface names are:
•Inside—Connects to your internal network. Must be most secure interface.
•DMZ—"Demilitarized zone" attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type.
•Outside—Connects to an external network or the Internet. Must be least secure interface.
|
IP Type
|
Specifies the address type for the interface; choose one of the following methods and provide related parameters:
•Static IP - Provide a static IP Address and Subnet Mask that represents the security device on this interface's connected network. If you omit the Subnet Mask value, a "classful" network is assumed.
•Use DHCP - Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available:
–DHCP Learned Route Metric (required) - Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.
–Obtain Default Route using DHCP - Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Static Route Page.
–Enable Tracking for DHCP Learned Route - If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available:
–Tracked SLA Monitor - Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Understanding SLA Monitor Objects, page 9-91 for more information.)
|
IP Type (continued)
|
•PPPoE (PIX and ASA 7.2+) - Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover.
–VPDN Group Name (required) - Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 15-16 for more information.
–IP Address - If provided, this static IP address is used for connection and authentication, instead of a negotiated address.
–Subnet Mask - The subnet mask to be used in conjunction with the provided IP Address.
–PPPoE Learned Route Metric (required) - Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.
–Obtain Default Route using PPPoE - Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration.
–Enable Tracking for PPPoE Learned Route - If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available:
–Dual ISP Interface - If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring.
–Tracked SLA Monitor - Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Understanding SLA Monitor Objects, page 9-91 for more information.)
Note You can configure DHCP and PPPoE only on the outside interface of a security appliance.
Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.
|
VLAN ID
|
Sets the VLAN ID, between 1 and 4090. For multiple-context mode, you can only set the VLAN ID in the system configuration.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1-99.
|
Block Traffic To
|
Restricts this VLAN interface from initiating contact with the VLAN chosen here.
|
Backup Interface
|
Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails.
|
Active MAC Address
|
Use this field to manually assign a MAC address to the interface.
MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
|
Standby MAC Address
|
If you assign an Active MAC Address, you also can assign a Standby MAC Address.
|
Description
|
Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
Add/Edit Interface Dialog Box (PIX 6.3)
Table K-18 Add/Edit Interface Dialog Box (PIX 6.3)
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy.
You must enable a physical interface before any traffic can pass through any enabled subinterfaces.
|
Type
|
Type of VLAN interface. Valid values are:
•Logical—VLAN is associated with a logical interface.
•Physical—VLAN is on the same network as its underlying hardware interface.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:
•Inside—Connects to your internal network. Must be most secure interface.
•DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network.
•Outside—Connects to an external network or the Internet. Must be least secure interface.
|
Hardware Port
|
When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device.
When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled.
Valid values are:
•ethernet0 to ethernetn.
•gb-ethernetn.
where n represents the number of network interfaces in the device.
|
IP Type
|
Specifies the address type for the interface.
•Static IP—Assigns a static IP address and mask to the interface.
•Use DHCP—Assigns a dynamic IP address and mask to the interface.
•Use PPPoE—Provides an authenticated method of assigning an IP address to the interface.
Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.
|
IP Address
|
Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type.
•IP address must be unique for each interface.
•The IP address is blank for interfaces that use dynamic addressing.
Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list.
|
Subnet Mask
|
Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface.
|
Obtain Default Route using DHCP
|
Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.
|
Retry Count
|
Identifies the number of tries before an error is returned. Valid values are 4 through 16.
|
Obtain default route using PPPoE
|
Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway.
|
Speed and Duplex
|
Lists the speed options for a physical interface; not applicable to logical interfaces.
•auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card.
•10baset—10-Mbps Ethernet half-duplex.
•10full—10-Mbps Ethernet full-duplex.
•100basetx—100-Mbps Ethernet half-duplex.
•100full—100-Mbps Ethernet full-duplex.
•1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex.
Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.
•1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex.
•1000full nonnegotiate—1000-Mbps Ethernet full-duplex.
•aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface.
•bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface.
Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.
|
Physical VLAN ID
|
For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices.
|
Logical VLAN ID
|
Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1 and 99.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
Advanced Interface Settings Dialog Box
Navigation Path
You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page or ASA 5505 Ports and Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table K-19 Advanced Interface Settings Dialog Box
Element
|
Description
|
Traffic between interfaces with same security levels
|
Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.
•Disabled—Does not allow communication between interfaces on the same security level.
•Inter-interface—Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device.
•Intra-interface—Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface.
•Both—Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level.
|
PPPoE Users button
|
Click to access the PPPoE Users dialog box.
|
VPDN Groups (PIX and ASA 7.2+)
|
Group Name
|
Displays the group name.
|
PPPoE Username
|
Displays the PPPoE username.
|
PPP Authentication
|
Indicates the PPP Authentication method for this VPDN group:
•PAP
•CHAP
•MSCHAP
|
Add VPND Group Dialog Box
Navigation Path
You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table K-20 Add VPND Group Dialog Box
Element
|
Description
|
Group Name
|
Enter the group name.
|
PPPoE Username
|
Select the PPPoE username.
|
PPP Authentication
|
Select the PPP Authentication method:
•PAP
•CHAP
•MSCHAP
|
PPPoE Users Dialog Box
Navigation Path
You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•Add and Edit PPPoE User Dialog Boxes
Field Reference
Table K-21 PPPoE Users Dialog Box
Element
|
Description
|
PPPoE Users (PIX and ASA 7.2+)
|
Username
|
Displays the PPPoE username.
|
Store in Local Flash
|
Indicates whether this PPPoE user account is to be stored in local flash (True or False).
|
Add and Edit PPPoE User Dialog Boxes
Navigation Path
You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box.
Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Interfaces Page
•FWSM Interfaces Page
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table K-22 Add and Edit PPPoE User Dialog Boxes
Element
|
Description
|
Username
|
Provide a name for the PPPoE user.
|
Password
|
Enter a password for this user.
|
Confirm
|
Re-enter the password.
|
Store Username and Password in Local Flash
|
Select this option to store the PPPoE user information in flash memory.
|
FWSM Interfaces Page
The FWSM Interfaces page displays configured interfaces and subinterfaces. You can add or delete interfaces and subinterfaces, and also enable communication between interfaces on the same security level. Each firewall device must be configured, and each active interface must be enabled. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.
Transparent firewall mode allows only two interfaces to pass through traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.
If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the device type and version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining.
Navigation Path
To access this feature, select a firewall device in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•FWSM Add/Edit Interface Dialog Box
•Add/Edit Bridge Group Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Table K-23 FWSM Interfaces Page
Element
|
Description
|
Interfaces Tab
|
Interface Type
|
Displays the interface type. This value is derived from the hardware ID setting of the selected interface. Valid options are:
•ethernet
•gigabitethernet
•gb-ethernet
|
Interface Name
|
Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.
|
IP Address
|
Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.
|
IP Address Type
|
Specifies the method by which the IP address is provided. Valid options are:
•static—The IP address is manually defined.
•dhcp—The IP address is obtained via a DHCP lease.
•pppoe—The IP address is obtained using PPPoE.
|
Interface Role
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Valid options include:
•All-Interfaces—The interface is a member of the default role assigned to all interfaces.
•Internal—This interface is a member of the default role associated with all inside interfaces.
•External—This interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
Hardware ID
|
Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.
For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated.
|
Vlan ID
|
For a subinterface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. In multiple-context mode, you can only set the VLAN in the system configuration.
If this value is not specified, the column displays native.
|
Enabled
|
Indicates if the interface is enabled: true or false.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Security Level
|
Displays the interface security level; a value between 0 and 100.
|
Management Only
|
Indicates if this interface allows traffic to the security appliance for management purposes only.
|
MTU
|
Displays the MTU. By default, the MTU is 1500.
|
Description
|
Displays a description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.
|
ASR Group
|
Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.
|
Bridge Groups Tab
|
Bridge Group
|
Shows the name of the bridge group.
|
ID
|
Displays the bridge group ID.
|
Interface A
|
Identifies the first interface that is part of this bridge group.
|
Interface B
|
Identifies the second interface that is part of this bridge group.
|
IP
|
Displays the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
|
Netmask
|
Displays the netmask for the management IP address of this bridge group.
|
Description
|
Displays the description of this bridge group if one was specified.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
FWSM Add/Edit Interface Dialog Box
Use the Add/Edit Interface dialog box to add or edit an interface or subinterface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 15-84 page to assign interfaces to contexts.
If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.
After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as a physical, virtual, logical, or subinterface:
Navigation Path
You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see FWSM Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•FWSM Interfaces Page
•Add/Edit Bridge Group Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Table K-24 FWSM Add/Edit Interface Dialog Box
Element
|
Description
|
Enable Interface
|
Enables this interface to pass traffic. You must also set an IP address (for routed mode) and a name before traffic can pass according to your security policy.
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.
|
Management Only
|
Sets the interface to accept traffic to the security appliance only, and not through traffic.
|
Name
|
Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:
•Inside—Connects to your internal network. Must be most secure interface.
•DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type.
•Outside—Connects to an external network or the Internet. Must be least secure interface.
|
IP Address
|
Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.
•IP address must be unique for each interface.
•The IP address is blank for interfaces that use dynamic addressing.
Note Do not use addresses being used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
|
Subnet Mask
|
Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
|
MTU
|
Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 64-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.
|
VLAN ID
|
For a subinterface, sets the VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
|
Security Level
|
Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.
•Outside interface is always 0.
•Inside interface is always 100.
•DMZ interfaces are between 1-99.
|
Roles
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Default options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
ASR Group
|
To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.
|
Add/Edit Bridge Group Dialog Box
Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode.
A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance.
You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.
Navigation Path
You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see FWSM Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•FWSM Interfaces Page
•FWSM Add/Edit Interface Dialog Box
•Advanced Interface Settings Dialog Box
Field Reference
Table K-25 Add/Edit Bridge Group Dialog Box
Element
|
Description
|
Name
|
Enter a name for this bridge group.
|
ID
|
Enter the bridge group ID as an integer between 1 and 100.
|
Interface A
|
Select the first interface that is part of this bridge group.
|
Interface B
|
Select the second interface that is part of this bridge group.
|
IP Address
|
Enter the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
|
Netmask
|
Network mask for IP address of bridge group. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).
Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
|
Description
|
You can enter an optional description for this bridge group.
|
ASA 5505 Ports and Interfaces Page
The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:
•Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.
•Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.
Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Navigation Path
To access this feature, select an ASA 5505 in Device View and then select Interfaces from the Device Policy selector.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•Configure Hardware Ports Dialog Box
•Add/Edit Interface Dialog Box (PIX/ASA)
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table K-26 ASA 5505 Ports and Interfaces Page
Element
|
Description
|
Hardware Ports Tab
|
Hardware Port
|
Identifies the switch port.
|
Enabled
|
Indicates whether this switch port is enabled or not (Yes or No).
|
Associated VLANs
|
Shows the VLAN or VLANs that are associated with this port.
|
Associated Interface Names
|
Shows the interface name of the VLAN(s) that are associated with this port.
|
Mode
|
Shows the mode for this port:
•Access Port—Port is in access mode.
•Trunk Port—Port is in trunk mode. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.
|
Protected
|
Identifies whether the port is isolated or not (Yes or No). This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
|
Interfaces Tab
|
Name
|
Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.
|
IP Address Type
|
Specifies the method by which the IP address is provided. Valid options are:
•static—Identifies that the IP address is manually defined.
•dhcp—Identifies that the IP address is obtained via a DHCP lease.
•pppoe—Identifies that the IP address is obtained using PPPoE.
|
IP Address
|
Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.
|
Block Traffic To
|
Displays the interface to which traffic is blocked.
|
Backup Interface
|
Displays the interface that acts as backup for this interface.
|
Interface Role
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.
Valid options include:
•All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.
•Internal—Indicates this interface is a member of the default role associated with all inside interfaces.
•External—Indicates this interface is a member of the default role associated with all outside interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-61.
|
Enabled
|
Indicates if the interface is enabled (Yes or No).
|
Vlan ID
|
Identifies the VLAN ID for this interface.
|
Security Level
|
Displays the interface security level between 0 and 100.
|
Management Only
|
Indicates if the interface allows traffic to the security appliance or for management purposes only.
|
MTU
|
Displays the MTU. By default, the MTU is 1500.
|
Description
|
Displays a description of the interface.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Configure Hardware Ports Dialog Box
Use the Configure Hardware Ports dialog box to configure the switch ports on an ASA 5505, including setting the mode, assigning a switch port to a VLAN, and setting the Protected option.
Caution The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network. Therefore, you must ensure that any connection with the appliance does not end up in a network loop.
Navigation Path
You can access the Configure Hardware Ports dialog box from the Hardware Ports tab of the ASA 5505 Interfaces page. For more information about this page, see ASA 5505 Ports and Interfaces Page.
Related Topics
•Configuring Firewall Device Interfaces, page 15-2
•ASA 5505 Ports and Interfaces Page
•Add/Edit Interface Dialog Box (PIX/ASA)
•Advanced Interface Settings Dialog Box
•Add VPND Group Dialog Box
•PPPoE Users Dialog Box
Field Reference
Table K-27 Configure Hardware Ports Dialog Box
Element
|
Description
|
Enable Interface
|
Select to enable this switch port.
|
Isolated
|
Select this option to prevent this port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, if you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Isolated option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
|
Hardware Port
|
Choose the switch port that you are configuring.
|
Mode
|
Choose a mode for this port:
•Access Port—Sets the port to access mode. Access ports can be assigned to one VLAN.
•Trunk Port—Sets the port to trunk mode using 802.1Q tagging. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets, there is no native VLAN support, and the appliance drops all packets that do not contain a tag specified in this command.
|
VLAN ID
|
Enter the VLAN ID(s) according to the chosen Mode:
•Access Port mode—Enter the VLAN ID to which you want to assign this switch port.
•Trunk Port mode—Enter the VLAN IDs to which you want to assign this switch port, separated by commas.
|
Duplex
|
Lists the duplex options for the port, including Full, Half, or Auto. The Auto setting is the default.
If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
|
Speed
|
Choose a speed for the port:
•auto (default)
•10
•100
If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
|
Bridging
This section discusses the following pages:
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
ARP Table Page
Use the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.
Navigation Path
•(Device view) Select Platform > Bridging > ARP Table from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table from the Policy Type selector. Right-click ARP Table to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit ARP Configuration Dialog Box
•Bridging
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
Field Reference
Table K-28 ARP Table Page
Element
|
Description
|
Timeout (seconds)
|
The amount of time, between 60 and 4294967 seconds, before the security appliance rebuilds the ARP table. The default is 14400 seconds.
Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.
Note The timeout applies to the dynamic ARP table, and not the static entries contained in the ARP table.
|
ARP Table
|
Interface
|
The interface to which the host is attached.
|
IP Address
|
The IP address of the host.
|
MAC Address
|
The MAC address of the host.
|
Alias Enabled
|
Indicates whether the security appliance performs proxy ARP for this mapping. If this setting is enabled and the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.
Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit ARP Configuration Dialog Box
Use the Add/Edit ARP Configuration dialog box to add a static ARP entry that maps a MAC address to an IP address and identifies the interface through which the host is reached.
Navigation Path
You can access the Add/Edit ARP Configuration dialog box from the ARP Table page. For more information about the ARP Table page, see ARP Table Page.
Related Topics
•Bridging
•ARP Table Page
Field Reference
Table K-29 Add/Edit ARP Configuration dialog box
Element
|
Description
|
Interface
|
The name of the interface to which the host network is attached.
|
IP Address
|
The IP address of the host.
|
MAC Address
|
The MAC address of the host; for example, 00e0.1e4e.3d8b.
|
Enable Alias
|
When selected, enables proxy ARP for this mapping. If the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.
Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.
|
ARP Inspection Page
Use the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.
Navigation Path
•(Device view) Select Platform > Bridging > ARP Inspection from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Inspection from the Policy Type selector. Right-click ARP Inspection to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit ARP Inspection Dialog Box
•Bridging
•ARP Table Page
•MAC Address Table Page
•MAC Learning Page
•Management IP Page
Field Reference
Table K-30 ARP Inspection Page
Element
|
Description
|
ARP Inspection Table
|
Interface
|
The name of the interface to which the ARP inspection setting applies.
|
ARP Inspection Enabled
|
Indicates whether ARP inspection is enabled on the specified interface.
|
Flood Enabled
|
Indicates whether packets that do not match any element of a static ARP entry should be flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.
Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit ARP Inspection Dialog Box
Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection for a transparent firewall interface.
Navigation Path
You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection page. For more information about the ARP Inspection page, see ARP Inspection Page.
Related Topics
•Bridging
•ARP Inspection Page
Field Reference
Table K-31 Add/Edit ARP Inspection dialog box
Element
|
Description
|
Interface
|
The name of the interface for which you are enabling or disabling ARP inspection.
|
Enable ARP Inspection on this interface
|
When selected, enables ARP inspection on the specified interface.
|
Flood ARP packets
|
When selected, packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.
Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.
|
MAC Address Table Page
Use the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.
Navigation Path
•(Device view) Select Platform > Bridging > MAC Address Table from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Address Table from the Policy Type selector. Right-click MAC Address Table to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MAC Table Entry Dialog Box
•Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Learning Page
•Management IP Page
Field Reference
Table K-32 MAC Address Table Page
Element
|
Description
|
Aging Time (minutes)
|
Sets the number of minutes, between 5 and 720 (12 hours), that a MAC address entry stays in the MAC address table before timing out. 5 minutes is the default.
|
MAC Address Table
|
Interface
|
The interface to which the MAC address is associated.
|
MAC Address
|
The MAC address; for example, 00e0.1e4e.3d8b.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit MAC Table Entry Dialog Box
Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries to the MAC Address table or to modify entries in the MAC Address table.
Navigation Path
You can access the Add/Edit MAC Table Entry dialog box from the MAC Address Table page. For more information about the MAC Address Table page, see MAC Address Table Page.
Related Topics
•Bridging
•MAC Address Table Page
Field Reference
Table K-33 Add/Edit MAC Table Entry dialog box
Element
|
Description
|
Interface
|
The interface to which the MAC address is associated.
|
MAC Address
|
The MAC address; for example, 00e0.1e4e.3d8b.
|
MAC Learning Page
Use the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.
Navigation Path
•(Device view) Select Platform > Bridging > MAC Learning from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Add/Edit MAC Learning Dialog Box
•Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•Management IP Page
Field Reference
Table K-34 MAC Learning Page
Element
|
Description
|
MAC Learning Table
|
Interface
|
The interface to which the MAC learning setting applies.
|
MAC Learning Enabled
|
Indicates whether the security appliance learns MAC addresses from traffic entering the interface.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add/Edit MAC Learning Dialog Box
Use the Add/Edit MAC Learning dialog box to enable or disable MAC address learning on an interface.
Navigation Path
You can access the Add/Edit MAC Learning dialog box from the MAC Learning page. For more information about the MAC Learning page, see MAC Learning Page.
Related Topics
•Bridging
•MAC Learning Page
Field Reference
Table K-35 Add/Edit MAC Learning dialog box
Element
|
Description
|
Interface
|
The interface to which the MAC learning setting applies.
|
MAC Learning Enabled
|
When selected, the security appliance learns MAC addresses from traffic entering the interface.
|
Management IP Page
Use the Management IP page to set the management IP address for a security appliance or for a context in transparent firewall mode.
Navigation Path
•(Device view) Select Platform > Bridging > Management IP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Bridging > Management IP from the Policy Type selector. Right-click Management IP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Bridging
•ARP Table Page
•ARP Inspection Page
•MAC Address Table Page
•MAC Learning Page
Field Reference
Table K-36 Management IP Page
Element
|
Description
|
Management IP Address
|
The management IP address.
|
Subnet Mask
|
The subnet mask that corresponds to the management IP address.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
AAA Page
This page includes tabs for configuring authentication, authorization, and accounting:
•Authentication Tab
•Authorization Tab
•Accounting Tab
Navigation Path
•(Device view) Select Platform > Device Admin > AAA from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.
Authentication Tab
Use the Authentication tab to enable authentication for administrator access to the security appliance. The Authentication tab also allows you to configure the prompts and messages that a user sees when authenticated by a AAA server.
Navigation Path
You can access the Authentication tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
•Configuring AAA, page 15-29
•Authorization Tab
•Accounting Tab
Field Reference
Table K-37 Authentication Tab
Element
|
Description
|
Require AAA Authentication to allow use of privileged mode commands
|
Enable
|
Forces AAA authentication from a server group before you can access enable mode on the firewall. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears.
|
Server Group
|
Provides a drop-down menu from which you can choose a server group to force AAA authentication.
|
Use LOCAL when server group fails
|
Uses the LOCAL server group if the selected server group fails.
|
Require AAA Authorization for the following types of connections
|
Connection type
|
Specify the connection types that require authorization:
•HTTP—Require AAA authentication when you start an HTTPS connection to the firewall console.
•Serial—Require AAA authentication when you connect to the firewall console via the serial console cable. The firewall prompts you for your username and password before you can enter commands. If the authentication server is offline, wait until the console login request times out. You can then access the console with the firewall username and the enable password.
•SSH—Require AAA authentication when you start a Secure Shell (SSH) connection to the firewall console. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears. This option requests a username and password before the first command line prompt on the SSH console.
•Telnet—Require AAA authentication when you start a Telnet connection to the firewall console. You must authenticate before you can enter a Telnet command.
|
Server Group
|
Specify the server group to use for authorization.
|
Use LOCAL when server group fails
|
Uses the LOCAL server group if the selected server group fails.
|
Authentication Prompts
|
Login Prompt
|
Enter the prompt a user will see when logging in to the security appliance.
|
User Accepted Message
|
Enter the message a user will see when successfully authenticated by the security appliance.
|
User Rejected Message
|
Enter the message a user will see when authentication by the security appliance fails.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Authorization Tab
The Authorization tab allows you to configure authorization for accessing firewall commands.
Navigation Path
You can access the Authorization tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
•Configuring AAA, page 15-29
•Authentication Tab
•Accounting Tab
Field Reference
Table K-38 Authorization Tab
Element
|
Description
|
Enable Authorization for Command Access
|
Requires authorization for accessing firewall commands.
|
Server Group
|
Specify the server group to use for authorization.
|
Use LOCAL when server group fails
|
Uses the LOCAL server group if the selected server group fails.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Accounting Tab
Use the Accounting tab to enable accounting for access to the firewall device and for access to commands on the device.
Navigation Path
You can access the Accounting tab from the AAA page. For more information about the AAA page, see AAA Page.
Related Topics
•Configuring AAA, page 15-29
•Authentication Tab
•Authorization Tab
Field Reference
Table K-39 Accounting Tab
Element
|
Description
|
Require AAA Accounting for privileged commands
|
Enable
|
When selected, enables the generation of accounting records to mark the entry to and exit from privileged mode for administrative access via the console.
|
Server Group
|
Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.
|
Require AAA Accounting for the following types of connections
|
Connection type
|
Specify the connection types that will generate accounting records:
•HTTP—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over HTTP. Valid server group protocols are RADIUS and TACACS+.
•Serial—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions that are established via the serial interface to the console. Valid server group protocols are RADIUS and TACACS+.
•SSH—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over SSH. Valid server group protocols are RADIUS and TACACS+.
•Telnet—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over Telnet. Valid server group protocols are RADIUS and TACACS+.
|
Server Group
|
Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.
|
Require Accounting for command access
|
Enable
|
When selected, enables the generation of accounting records for commands entered by an administrator/user.
|
Server Group
|
Provides a drop-down menu from which you can choose the server or group of RADIUS or TACACS+ servers to which accounting records are sent.
|
Privilege Level
|
Minimum privilege level that must be associated with a command for an accounting record to be generated. The default privilege level is 0.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Banner Page
Use the Banner page to configure message of the day, login and session banners.
Navigation Path
•(Device view) Select Platform > Device Admin > Banner from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner from the Policy Type selector. Right-click Banner to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Server Access
Field Reference
Table K-40 Banner Page
Element
|
Description
|
Session(exec) Banner
|
Enter text that you want the system to display as a banner before displaying the enable prompt.
Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.
|
Login Banner
|
Enter text that you want the system to display as a banner before the password login prompt when someone accesses the security appliance using Telnet.
Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.
|
Message-of-the-Day (motd) Banner
|
Enter text that you want the system to display as a message-of-the-day banner.
Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Boot Image/Configuration Page
Use the Boot Image/Configuration page to specify which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can also specify the path to the ASDM image file on the security appliance.
Navigation Path
•(Device view) Select Platform > Device Admin > Boot Image/Configuration from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot Image/Configuration from the Policy Type selector. Right-click Boot Image/Configuration to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Boot Image and Configuration Settings, page 15-33
•Images Dialog Box
Field Reference
Table K-41 Boot Image/Configuration Page
Element
|
Description
|
Boot Config Location
|
The configuration file to use when the system is loaded. Use the following syntax:
•disk0:/[path/]filename
Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.
•disk1:/[path/]filename
Indicates the external Flash card.
•flash:/[path/]filename
|
ASDM Image Location
|
The location of the ASDM software image to be used when ASDM sessions are initiated. Use the following syntax:
•disk0:/[path/]filename
Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.
•disk1:/[path/]filename
Indicates the external Flash card.
•flash:/[path/]filename
•tftp://[user[:password]@]server[:port]/[path/]filename
|
Boot Images Table
|
No.
|
Identifies the number of the boot image.
|
Images
|
Identifies the path and name of the boot image.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Images Dialog Box
Use the Images dialog box to add a boot image entry to the boot order list.
Navigation Path
You can access the Images dialog box from the Boot Image/Configuration page. For more information about the Boot Image/Configuration page, see Boot Image/Configuration Page.
Related Topics
•Configuring Boot Image and Configuration Settings, page 15-33
•Boot Image/Configuration Page
Field Reference
Table K-42 Images Dialog Box
Element
|
Description
|
Image File
|
Enter the path and name of the image file to add to the boot order list. See the following syntax:
•disk0:/[path/]filename
This option is available only for the ASA platform, and indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.
•disk1:/[path/]filename
This option is available only for the ASA platform, and indicates the external Flash card.
•flash:/[path/]filename
•tftp://[user[:password]@]server[:port]/[path/]filename
|
Clock Page
The Clock page lets you set the date and time for the security appliance. In multiple context mode, set the time in the system configuration only.
To dynamically set the time using an NTP server, see Configuring NTP Settings, page 15-58; time derived from an NTP server overrides any time set manually on the Clock page.
Navigation Path
•(Device view) Select Platform > Device Admin > Clock from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Clock Settings, page 15-34
•Configuring NTP Settings, page 15-58
•NTP Page
Field Reference
Table K-43 Clock Page
Element
|
Description
|
Device Time Zone
|
Select the time zone for the device from the list.
|
Daylight Savings Time (Summer Time)
|
Select whether daylight savings time is used and if so what method is used to specify when daylight savings time applies:
None—Disables daylight savings time on the security appliance.
Set by Date—Select this option to specify the date and time when daylight savings time begins and ends for a specific year. If you use this option, you need to reset the dates every year.
Set Recurring—Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.
|
Set by Date
|
Date (Begin/End)
|
Enter the date on which daylight savings time begins and ends in MMM dd YYYY format (for example, Jul 15 2005). You can also click Calendar to select the date from a calendar.
|
Hour (Begin/End)
|
Select the hour, from 00 to 23, in which daylight savings time begins and the hour in which it ends.
|
Minute (Begin/End)
|
Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.
|
Set Recurring
|
Specify Recurring Time
|
Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.
|
Month (Begin/End)
|
Select the month in which daylight savings time begins and the month in which it ends.
|
Week (Begin/End)
|
Select the week of the month in which daylight savings time begins and the week in which it ends. You can select the numerical value that corresponds to the week, 1 through 5, or you can specify the first or last week in the month by selecting first or last. For example, if the day might fall in the partial fifth week, specify "last".
|
Weekday (Begin/End)
|
Select the day on which daylight savings time begins and the day on which it ends.
|
Hour (Begin/End)
|
Select the hour, from 0 to 23, in which daylight savings time begins and the hour in which it ends.
|
Minute (Begin/End)
|
Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Credentials Page
Use the Credentials page to specify the future contact settings that Security Manager should use when contacting a device. You can also use the Contact Credentials page to change the login password and the enable password on a device.
Navigation Path
•(Device view) Select Platform > Device Admin > Credentials from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Credentials from the Policy Type selector. Right-click Credentials to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Contact Credentials, page 15-35
•User Accounts Page
Field Reference
Table K-44 Contact Credentials Page
Element
|
Description
|
Username
|
Specifies the user name for logging in to the device.
|
Password
|
Specifies the password for logging in to the device.
|
Confirm
|
Confirms the password entered in the Password field. The values in the Password and Confirm fields must match before you can save these settings.
|
Privilege Level
|
Specifies the privilege level of the user logging in to the device.
|
Enable Password
|
Specifies the new enable password for the device.
|
Confirm
|
Confirms the password entered in the Enable Password field. The values in the Enable Password and Confirm fields must match before you can save these settings.
|
Telnet/SSH Password
|
Specifies the new login password for the device.
|
Confirm
|
Confirms the password entered in the Telnet/SSH Password field. The values in the Telnet/SSH Password and Confirm fields must match before you can save these settings.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
CPU Threshold Page
Use the CPU Threshold Page to specify the percentage of CPU usage above which you want to receive a notification and the duration that the usage must remain above that threshold before the notification is generated.
Navigation Path
•(Device view) Select Platform > Device Admin > CPU Threshold from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU Threshold from the Policy Type selector. Right-click CPU Threshold to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring SNMP, page 15-41
•SNMP Page
•SNMP Trap Configuration Dialog Box
Field Reference
Table K-45 CPU Threshold Page
Element
|
Description
|
CPU Rising Threshold Percentage
|
Enter the percentage of CPU usage above which you want to receive a notification. If the CPU utilization percentage is equal to or above this value for the duration specified in the CPU Monitoring Period field then a notification will be sent.
|
CPU Monitoring Period (seconds)
|
Enter the number of seconds that the percentage of CPU usage must remain at or above the threshold set in the CPU Rising Threshold Percentage field before a notification is sent.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Device Access
The Device Access section is located under the Device Admin folder in the Policy selector. The following topics describe the pages for Device Access:
•Console Page
•HTTP Page
•ICMP Page
•Management Access Page
•Secure Shell Page
•SNMP Page
•Telnet Page
Console Page
Use the Console page to specify a time period for the management console to remain active. When the time limit you specify is reached, the console shuts down.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Console from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Console from the Policy Type selector. Right-click Console to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
Field Reference
Table K-46 Console Page
Element
|
Description
|
Console Timeout (minutes)
|
Number of minutes a console session can remain idle before the firewall device closes it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
HTTP Page
The HTTP page provides a table that specifies the addresses of all the hosts or networks that are allowed access to the firewall device using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.
The HTTP page also displays information about HTTP redirection and HTTPS user certificate requirements for interfaces on the firewall device. You can use this table to change the entries for HTTP redirection and HTTPS user certificate requirements.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Right-click HTTP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
•HTTP Configuration Dialog Box
Field Reference
Table K-47 HTTP Page
Element
|
Description
|
Enable HTTP Server
|
Enables or disables HTTPS access to the firewall device.
|
HTTP Interface Table
|
Interface
|
Lists the interface on the firewall device from which the administrative access to the device manager is allowed.
|
Network
|
Lists the IP address and netmask, separated by a slash ("/"), of hosts or networks that are permitted to establish an HTTPS connection with the firewall device.
|
Authentication Certificate
|
Identifies if a user certificate is required to authenticate users who are establishing HTTPS connections.
|
Redirect Port
|
Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. If this column is empty, then HTTP redirect is disabled.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
HTTP Configuration Dialog Box
Use the HTTP Configuration dialog box to add a host or network that will be allowed administrative access to the firewall device manager over HTTPS.
Navigation Path
You can access the HTTP Configuration dialog box from the HTTP page. For more information about the HTTP page, see HTTP Page.
Related Topics
•Device Access
•HTTP Page
Field Reference
Table K-48 HTTP Configuration Dialog Box
Element
|
Description
|
Interface Name
|
Specifies the interface on the firewall device from which administrative access to the firewall device manager is allowed.
|
IP Address/Netmask
|
Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to establish an HTTPS connection with the firewall device.
|
Enable Authentication Certificate
|
Specifies whether user certificate authentication is required to establish an HTTPS connection.
|
Redirect port
|
Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. To disable HTTP redirect, ensure that this field is blank.
|
ICMP Page
The ICMP page provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device. You can use this table to add or change the hosts or networks that are allowed to or prevented from sending ICMP messages to the firewall device.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Right-click ICMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
•Add and Edit ICMP Dialog Boxes
Field Reference
Table K-49 ICMP Page
Element
|
Description
|
ICMP Rules Table
|
Interface
|
Lists the interface on the security appliance from which ICMP access is allowed.
|
Action
|
Displays whether ICMP messages are permitted or denied from the specified network or host.
|
Network
|
Lists the IP address and netmask, separated by a "/", of hosts or networks that are allowed or denied access.
|
ICMP Service
|
Lists the type of ICMP message to which the rule applies.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Add and Edit ICMP Dialog Boxes
Use the Add ICMP dialog box to add an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device.
Note The Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existing ICMP rules. The following descriptions apply to both dialog boxes.
Navigation Path
You can access the Add or Edit ICMP dialog boxes from the ICMP page. For more information about the ICMP page, see ICMP Page.
Related Topics
•Device Access
•ICMP Page
Field Reference
Table K-50 Add and ICMP Dialog Boxes
Element
|
Description
|
Action
|
Choose whether ICMP messages are permitted or denied on the specified network or host:
•Permit - ICMP messages from the specified host or network and interface are allowed.
•Deny - ICMP messages from the specified host or network and interface will be dropped.
|
ICMP Service
|
Enter or Select the type of ICMP service message to which the rule applies.
|
Interface
|
Enter or Select the interface on the firewall device from which ICMP access is allowed.
|
Network
|
Enter the IP address and netmask, separated by a slash (/), of the host or network that is allowed or denied access. You also can Select a Network/Host object.
|
Management Access Page
The Management Access page lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the firewall device. Use this feature if VPN is configured on the firewall device and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the firewall device securely from home using the VPN client.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Right-click Management Access to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Device Access
Field Reference
Table K-51 Management Access Page
Element
|
Description
|
Management Access Interface
|
Name of firewall device interface that permits management access connections. You can click Select to select the interface from a list of interface objects.
You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time. Clear the Management Access Interface field to disable management access.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Secure Shell Page
Use the Secure Shell page to configure rules that permit only specific hosts or networks to connect to a firewall device for administrative access using the SSH protocol.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Right-click Secure Shell to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Secure Shell, page 15-40
•Device Access
•Add and Edit SSH Host Dialog Boxes
Field Reference
Table K-52 Secure Shell Page
Element
|
Description
|
Enable Secure Copy Server
|
Select this check box to enable the secure copy server on the security appliance.
|
Allowed SSH Version(s)
|
Restricts the version of SSH accepted by the firewall device. By default, SSH Version 1 and SSH Version 2 connections are accepted.
|
Timeout (minutes)
|
Displays the number of minutes, 1 to 60, the Secure Shell session can remain idle before the firewall device closes it.
|
Secure Shell Access Rule table
|
Interface
|
Displays the name of the firewall device interface that will permit SSH connections.
|
Network
|
Displays the IP address and netmask of each host or network permitted to connect to this security appliance through the specified interface.
|
Save button
|
SaveTo publish your changes, click the Submit button on the toolbar.
|
Add and Edit SSH Host Dialog Boxes
Use the Add Host dialog box to add an SSH access rule.
Note The Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSH access rules. The following descriptions apply to both dialog boxes.
Navigation Path
You can access the Add and Edit Host dialog boxes from the Secure Shell page. For more information about the Secure Shell page, see Secure Shell Page.
Related Topics
•Configuring Secure Shell, page 15-40
•Device Access
•Secure Shell Page
Field Reference
Table K-53 Add and Edit Host Dialog Boxes
Element
|
Description
|
Interface
|
Enter or Select the name of the device interface that permits SSH connections.
|
IP Address
|
Enter or Select the IP address of the host or network that is permitted to establish an SSH connection with the security device.
|
SNMP Page
The SNMP page lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring SNMP, page 15-41
•Device Access
•SNMP Trap Configuration Dialog Box
•Add SNMP Host Access Entry Dialog Box
Field Reference
Table K-54 SNMP Page
Element
|
Description
|
Password (Community String)
|
Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
|
System Administrator Name
|
Enter the name of the firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
|
Location
|
Specify the firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
|
Port (PIX 7.x and ASA only)
|
Specify the port on which incoming requests will be accepted.
|
Configure Traps button
|
Click to open the SNMP Trap Configuration dialog box from which you can configure SNMP trap settings.
|
SNMP Hosts Table
|
Interface
|
Identifies the interface on which the SNMP management station resides.
|
IP Address
|
Identifies the IP address of the SNMP management station.
|
Community String
|
Identifies the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
|
SNMP Version
|
Identifies the version of SNMP set on the management station.
|
Poll/Trap
|
Displays the method for communicating with this management station, poll only, trap only, or both trap and poll.
•Poll—Firewall device waits for a periodic request from the management station.
•Trap—Sends syslog events when they occur.
|
UDP Port
|
Specifies the UDP port for the SNMP host. The default value is 162 for the SNMP host UDP port.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
SNMP Trap Configuration Dialog Box
Use the SNMP Trap Configuration dialog box to configure trap settings.
Traps are different than browsing; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, and syslog event generated.
An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. Firewall devices provide system OID in SNMP event traps & SNMP mib-2.system.sysObjectID.
The SNMP service running on a firewall device performs two different functions:
•Replies to SNMP requests from management stations (also known as SNMP clients).
•Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance.
Cisco firewall devices support three types of traps:
•firewall
•generic
•syslog
Navigation Path
You can access the SNMP Trap Configuration dialog box from the SNMP page. See SNMP Page for more information.
Related Topics
•Configuring SNMP, page 15-41
•Device Access
•SNMP Page
•Add SNMP Host Access Entry Dialog Box
Field Reference
Table K-55 SNMP Trap Configuration Dialog Box
Element
|
Description
|
Standard SNMP Traps (PIX 7.x, ASA and FWSM only)
|
Select the standard SNMP traps you want sent:
•Authentication—Enables authentication standard trap.
•Cold Start—Enables cold start standard trap.
•Link Up—Enables link up standard trap.
•Link Down—Enables link down standard trap.
|
Entity MIB Notifications (PIX 7.x and ASA only)
|
Select the Entity MIB Notifications that you want to enable:
•FRU Insert—Enables a trap notification when a Field Replaceable Unit (FRU) has been inserted.
•FRU Remove—Enables a trap notification when a Field Replaceable Unit (FRU) has been removed.
•Configuration Change—Enables a trap notification when there has been a hardware change.
|
IPsec Traps (PIX 7.x and ASA only)
|
Select the IPsec traps that you want to enable:
•Start—Enables a trap when IPsec starts.
•Stop—Enables a trap when IPsec stops.
|
Remote Access Traps (PIX 7.x and ASA only)
|
Select the Remote Access traps that you want to enable:
•Session Threshold Exceeded—Enables the firewall device send traps when remote access sessions reach the defined limit.
|
Enable Syslog Traps
|
Enables or disables the sending of syslog messages to the SNMP management station.
|
Add SNMP Host Access Entry Dialog Box
Use the Add SNMP Host Access Entry dialog box to add SNMP management stations.
Navigation Path
You can access the Add SNMP Host Access Entry dialog box from the SNMP page. See SNMP Page for more information.
Related Topics
•Device Access
•SNMP Page
•SNMP Trap Configuration Dialog Box
Field Reference
Table K-56 Add SNMP Host Access Entry Dialog Box
Element
|
Description
|
Interface Name
|
Select the interface on which the SNMP management station resides. You can click Select to select the interface from a list of interface objects.
|
IP Address
|
Enter the IP address of the SNMP management station. You can click Select to select the IP address from a list of IP address objects.
|
UDP Port
|
Enter the UDP port for the SNMP host. This field allows you to override the default value of 162 for the SNMP host UDP port.
|
Community String
|
Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
|
SNMP Version
|
Select the version of SNMP set on the management station.
|
Server Poll/Trap Specification
|
Specify the method for communicating with this management station, poll only, trap only, or both trap and poll.
•Poll—Firewall device waits for a periodic request from the management station.
•Trap—Sends syslog events when they occur.
|
Telnet Page
Use the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.
Navigation Path
•(Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.
•(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
•Configuring Telnet, page 15-43
•Device Access
•Telnet Configuration Dialog Box
Field Reference
Table K-57 Telnet Page
Element
|
Description
|
Timeout (minutes)
|
Number of minutes Telnet session can remain idle before the firewall device closes it. Values can range from 1 to 1440 minutes.
|
Telnet Access Table
|
Interface
|
Interface that receives Telnet packets from the client.
|
Network
|
The IP address and network mask of the host or network that can access the Telnet console on the firewall device.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Telnet Configuration Dialog Box
Use the Telnet Configuration dialog box to configure Telnet options for an interface.
Navigation Path
You can access the Telnet Configuration dialog box from the Telnet page. See Telnet Page for more information.
Related Topics
•Configuring Telnet, page 15-43
•Device Access
•Telnet Page
Field Reference
Table K-58 Telnet Configuration Dialog Box
Element
|
Description
|
Interface Name
|
Select the interface that receives Telnet packets from the client. You can click Select to select the interface from a list of interface objects.
|
Network
|
Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to access the firewall device's Telnet console through the specified interface. Use a comma to separate entries for multiple networks or hosts. You can click Select to select the networks from a list of network objects.
Note To limit access to a single IP address, use 255.255.255.255 or 32 as the netmask. Do not use the subnetwork mask of the internal network.
|
Failover Policies
This section discusses the pages that you use to configure failover for your firewall devices. The pages that are available for firewall configuration change depending on the type of firewall device you are configuring.
PIX 6.x Firewalls
•Failover Page (PIX 6.x)
–Edit Failover Interface Configuration Dialog Box (PIX 6.x)
–Bootstrap Configuration for LAN Failover Dialog Box
Firewall Services Modules
•Failover Page (FWSM)
–Advanced Settings Dialog Box
–Add Interface MAC Address Dialog Box
–Edit Failover Interface Configuration Dialog Box (FWSM)
–Bootstrap Configuration for LAN Failover Dialog Box
Adaptive Security Appliances and PIX 7.0 Firewalls
•Failover Page (ASA/PIX 7.x)
–Settings Dialog Box
–Add Failover Group Dialog Box
–Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
–Add Interface MAC Address Dialog Box
–Bootstrap Configuration for LAN Failover Dialog Box
Failover Page (PIX 6.x)
Use the Failover page to configure failover settings for a PIX 6.x Firewall.
Navigation Path
To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Failover Policies
•Edit Failover Interface Configuration Dialog Box (PIX 6.x)
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table K-59 Failover Page (PIX 6.x)
Element
|
Description
|
Failover
|
Failover Method
|
Choose the type of failover link: Serial Cable or LAN Based.
|
Enable Failover
|
Check this box to enable failover on this device.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.
|
Failover Poll Time
|
Specifies how long failover waits before determining if other devices remain available between primary and standby devices over all network interfaces and failover cable. Values can range from 3 to 15 seconds; default is 15.
|
LAN-Based Failover
|
Interface
|
Choose the interface to be used for LAN-based failover. If "Not Selected" is chosen, LAN-Based Failover is disabled.
|
Shared Key
|
Used to encrypt communication between primary and standby devices. Value can be any string.
|
Confirm
|
Re-enter the Shared Key.
|
Stateful Failover
|
Interface
|
Choose the interface to be used for Stateful Failover. If "Not Selected" is chosen, Stateful Failover is disabled.
Note You must choose a fast LAN link from the list (for example, 100full, 1000full, or 1000sxfull).
|
Enable HTTP Replication
|
Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.
|
Failover Interface Table
|
Interface
|
Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.
|
Active IP Address
|
Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.
Tip You can use this IP address with the ping tool to check the status of the active device.
|
Standby IP Address
|
Displays the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on same network as system IP address.
Tip You can use this IP address with the ping tool to check the status of the standby device.
|
Active MAC Address
|
Displays the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Displays the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Edit Row button
|
Click to display the Edit Failover Interface Configuration dialog box.
|
Save button
|
Saves your changes to the server but keeps them private.
|
Note To publish your changes, click the Submit button on the toolbar.
Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Use the Edit Failover Interface Configuration dialog box to configure a failover interface for
PIX 6.x devices.
Note The failover interface cannot be configured for PPPoE.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (PIX 6.x).
Related Topics
•Failover Policies
•Failover Page (PIX 6.x)
Field Reference
Table K-60 Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Element
|
Description
|
Interface
|
Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.
|
Active IP Address
|
Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.
Tip You can use this IP address with the ping tool to check the status of the active device.
|
Netmask
|
Displays the netmask of the active device.
|
Standby IP Address
|
Specify the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on the same network as the system IP address.
Tip You can use this IP address with the ping tool to check the status of the standby device.
|
Failover MAC Addresses
|
Active MAC Address
|
Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Failover Page (FWSM)
Use the Failover page to configure basic failover settings for FWSMs.
Navigation Path
To access this feature, select a FWSM in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Failover Policies
•Advanced Settings Dialog Box
•Edit Failover Interface Configuration Dialog Box (FWSM)
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table K-61 Failover Page (FWSM)
Element
|
Description
|
Enable Failover
|
Specifies whether failover is enabled on this device.
You must configure the logical LAN failover interface and, optionally, the stateful failover interface.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.
|
Configuration (FWSM 3.x only)
|
Active/Active option (FWSM 3.x only)
|
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.
To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
|
Active/Standby option (FWSM 3.x only)
|
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.
When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.
Active/Standby failover is available to security appliances in single mode or multiple mode.
|
Settings button
|
Click to display the Advance Settings dialog box. See Advanced Settings Dialog Box for more information.
|
LAN Failover
|
VLAN
|
VLAN interface you are using for the failover link, for example, VLAN 11.
|
Logical Name
|
The logical name of the interface on the active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Mask that corresponds with active and standby IP addresses.
|
State Failover
|
VLAN
|
VLAN interface you are using for the stateful failover link, for example, VLAN 12.
|
Logical Name
|
The logical name of the interface on active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Mask that corresponds with active and standby IP addresses.
|
Enable HTTP Replication check box
|
Enables stateful failover to copy active HTTP sessions to a standby firewall.
|
Suspend Configuration Synchronization
(FWSM 2.3 only)
|
When selected, configurations between the active and standby device are no longer synchronized.
Note You cannot disable this feature using the Security Manager user interface. To disable this feature after enabling it in Security Manager, issue the no failover suspend-config-sync command directly on the device, or by using the FlexConfig feature. For more information on FlexConfigs, see Understanding FlexConfig Policies and Policy Objects, page 19-1.
|
Shared Key (FWSM 3.x only)
|
To encrypt and authenticate the communication between failover peers, specify a shared secret in the Shared Key field for the active unit of an Active/Standby failover pair or on the unit that has failover group 1 in the active state of an Active/Active failover pair. The shared key can be from 1 to 63 characters and can be any combination of numbers, letters, or punctuation.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using FWSM to terminate VPN tunnels.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Advanced Settings Dialog Box
The Advanced Settings dialog box lets you configure additional failover settings for FWSMs.
Note The following reference table presents all fields that can be presented in the Advanced Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.
Navigation Path
You can access the Advance dialog box by clicking the Settings button on the Failover page. See Failover Page (FWSM) for more information.
Related Topics
•Failover Policies
•Failover Page (FWSM)
•Add Interface MAC Address Dialog Box
Field Reference
Table K-62 Advance Dialog Box
Element
|
Description
|
Interface Policy
|
Number of failed interfaces
|
When the number of failed monitored interfaces exceeds this value, the security appliance fails over. The range is between 1 and 250 failures.
|
Percentage of failed interfaces
|
When the number of failed monitored interfaces exceeds this percentage, the security appliance fails over.
|
Failover Poll Time
|
Unit Failover
|
The amount of time between hello messages among units. The range is between 1 and 15 seconds, or between 500 and 999 milliseconds if the msec option is checked.
|
Unit Hold Time
|
Sets the time during which a unit must receive a hello message on the failover link, or the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the Unit Failover value.
|
Monitored Interface
|
The amount of time between polls among interfaces. The range is between 3 and 15 seconds.
|
Management IP Address
|
Active
|
The IP address of the management interface.
|
Netmask
|
The subnet mask for the Active and Standby addresses.
|
Standby
|
The management IP address on the standby unit, which must be on the same subnet as the Active IP address. You do not need to identify the Standby address subnet mask.
|
Failover Groups
|
Group table
|
This table lists failover groups on the device, with the following information:
•Group Number - Numeric identifier for the group.
•Preferred Role - Primary or Secondary.
•Preempt Enabled - True or false.
|
Edit row button
|
Click this button to edit the selected entry in the Failover Groups table; the Edit Failover Group dialog box opens.
|
Edit Failover Interface Configuration Dialog Box (FWSM)
Use the Edit Failover Interface Configuration dialog box to configure a failover interface for FWSMs.
Note The failover interface cannot be configured for PPPoE.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (FWSM).
Related Topics
•Failover Policies
•Failover Page (FWSM)
Field Reference
Table K-63 Edit Failover Interface Configuration Dialog Box (FWSM)
Element
|
Description
|
Interface Name
|
Identifies the interface name; not editable.
|
Active IP Address
|
Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.
|
Standby IP Address
|
Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.
|
Monitor this interface for failure
|
Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
|
Failover Page (ASA/PIX 7.x)
Use the Failover page to configure basic failover settings for ASAs and PIX 7.x firewalls.
Navigation Path
To access this feature, select an ASA or PIX 7.x firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
•Failover Policies
•Settings Dialog Box
•Add Failover Group Dialog Box
•Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
•Add Interface MAC Address Dialog Box
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table K-64 Failover Page (ASA/PIX 7.x)
Element
|
Description
|
Enable Failover
|
Specifies whether failover is enabled on this device.
You must configure the logical LAN failover interface and, optionally, the stateful failover interface.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.
|
Configuration
|
Active/Active option
|
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.
To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
|
Active/Standby option
|
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.
When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.
Active/Standby failover is available to security appliances in single mode or multiple mode.
|
Settings button
|
Click to display the Settings dialog box. See Settings Dialog Box for more information.
|
LAN Failover
|
Interface
|
Interface you are using for the failover link.
|
Logical Name
|
The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Netmask that corresponds with active and standby IP addresses.
|
Bootstrap button
|
Click to display the Bootstrap Configuration for LAN Failover dialog box. See Bootstrap Configuration for LAN Failover Dialog Box for more information.
|
State Failover
|
Interface
|
Interface you are using for the stateful failover link.
|
Logical Name
|
The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.
|
Active IP Address
|
Specifies the IP address of the active interface.
|
Standby IP Address
|
Specifies the IP address of the standby interface.
|
Subnet Mask
|
Netmask that corresponds with active and standby IP addresses.
|
Enable HTTP Replication
|
When selected, enables stateful failover to copy active HTTP sessions to standby firewall.
|
Shared Key
|
Used to encrypt communication between primary and standby devices. Value can be any string.
|
Save button
|
Saves your changes to the server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
|
Settings Dialog Box
The Settings dialog box lets you define criteria for when failover should occur on an ASA or
PIX 7.x appliance.
Navigation Path
You can access the Settings dialog box by clicking the Settings button on the Failover page. For more information, see Failover Page (ASA/PIX 7.x).
Note The following reference table presents all fields that can be presented in the Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.
Related Topics
•Failover Policies
•Failover Page (ASA/PIX 7.x)
•Add Failover Group Dialog Box
•Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
•Add Interface MAC Address Dialog Box
•Bootstrap Configuration for LAN Failover Dialog Box
Field Reference
Table K-65 Settings Dialog Box
Element
|
Description
|
Interface Policy
|
Number of failed interfaces
|
When the number of failed monitored interfaces exceeds this value, the security appliance fails over. The range is between 1 and 250 failures.
|
Percentage of failed interfaces
|
When the number of failed monitored interfaces exceeds this percentage, the security appliance fails over.
|
Failover Poll Time
|
Unit Failover
|
The amount of time between hello messages among units. The range is between 1 and 15 seconds, or between 200 and 999 milliseconds if the msec option is checked.
|
Unit Hold Time
|
Sets the time during which a unit must receive a hello message on the failover link, or the unit begins the testing process for peer failure. The range is between 3 and 45 seconds, or between 800 and 999 milliseconds if the msec option is checked. You cannot enter a value that is less than three times the Unit Failover value.
|
Monitored Interface
|
The amount of time between polls among interfaces. The range is between 3 and 15 seconds, or between 500 and 999 milliseconds if the msec option is checked.
|
Interface Hold Time
|
Sets the time during which a data interface must receive a hello message, after which the peer is declared failed. Valid values are from 5 to 75 seconds.
|
Failover Groups
|
Group Number
|
Specifies the failover group number. This number is used when assigning contexts to failover groups.
|
Preferred Role
|
Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is selected. You can have both failover groups in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.
|
Preempt Enabled
|
Specifies whether the unit that is the preferred failover device for this failover group should become the active unit after rebooting.
|
Preempt Delay
|
Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.
|
Interface Policy
|
Specifies either the number of monitored interface failures or the percentage of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.
|
Interface Poll Time
|
Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.
|
Replicate HTTP
|
Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.
|
MAC Address
|
Identifies the MAC address of the active interface.
|
MAC Address Mapping
|
Physical Interface
|
Specifies the physical interface for which failover virtual MAC addresses are configured.
|
Active MAC Address
|
Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).
|
Standby MAC Address
|
Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).
|
Monitor Interface Configuration
|
Interface Name
|
Displays the name of the interface.
|
Is Monitored
|
Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
|
Edit Row button
|
Click to display the Edit Failover Interface Configuration dialog box to edit a failover interface configuration.
|
Management IP Address
|
Active
|
Specifies the management IP address of the active device.
|
Netmask
|
Specifies the netmask that corresponds with the active and standby IP addresses.
|
Standby
|
Specifies the management IP address of the standby device.
|
Add Failover Group
