PIX/ASA/FWSM Platform User Interface Reference

Size: px
Start display at page:

Download "PIX/ASA/FWSM Platform User Interface Reference"

Transcription

1 CHAPTER 50 PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs). These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration. Interfaces Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Platform Bridging, page ARP Table Page, page ARP Inspection Page, page MAC Address Table Page, page MAC Learning Page, page Management IP Page, page Device Admin AAA Page, page Authentication Tab, page Authorization Tab, page Accounting Tab, page Banner Page, page Boot Image/Configuration Page, page Clock Page, page Credentials Page, page CPU Threshold Page, page

2 Interfaces Page: PIX and ASA Chapter 50 Interfaces Page: PIX and ASA The Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them. Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic. If you bootstrapped a new security device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device. The Interfaces page settings vary based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring. To access the Interfaces page, select a security device in Device View and then select Interfaces from the Device Policy selector. Configuring Firewall Device Interfaces, page 39-2 Using the Add/Edit Interface Dialog Box, page 39-7 Table 50-1 Interfaces Page Interfaces Table Interface Type Name IP Address IP Address Type The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are: Ethernet GigabitEthernet TenGigabitEthernet (ASA 5580 only) Redundant The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by.n, where n is the subinterface number. The IP address of the interface, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. The method by which the IP address is provided. Valid options are: static The IP address is manually defined. dhcp The IP address is obtained via a DHCP lease. pppoe The IP address is obtained using PPPoE. 50-2

3 Chapter 50 Interfaces Page: PIX and ASA Table 50-1 Interfaces Page (Continued) Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Valid options include: All-Interfaces The interface is a member of the default role assigned to all interfaces. Internal This interface is a member of the default role associated with all inside interfaces. External This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page Hardware Port Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed. For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated. Enabled Indicates if the interface is enabled: true or false. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. VLAN ID For a subinterface, this is the VLAN ID, an integer between 1 and Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration. If this value is not specified, the column displays native. Security Level The interface security level; a value between 0 and 100. Management Only Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false. MTU The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is Member Indicates whether this interface is a member of a redundant interface pair: true or false. 50-3

4 Interfaces Page: PIX and ASA Chapter 50 Table 50-1 ASR Group Interfaces Page (Continued) A description of the interface. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Add/Edit Interface Dialog Box Use the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 39-4 for more information about redundant interfaces. You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained. In multiple-context mode, you can only add interfaces in the system configuration. See the Chapter 49, Configuring Security Contexts on Firewall Devices page for information about assigning interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information: Add/Edit Interface Dialog Box (PIX/ASA), page 50-5 Add/Edit Interface Dialog Box (ASA 5505), page Add/Edit Interface Dialog Box (PIX 6.3), page You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page: PIX and ASA, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 ASA 5505 Ports and Interfaces Page, page Advanced Interface Settings Dialog Box, page Add VPND Group Dialog Box, page PPPoE Users Dialog Box, page

5 Chapter 50 Interfaces Page: PIX and ASA Add/Edit Interface Dialog Box (PIX/ASA) The Add/Edit Interface dialog box is used to define and configure interfaces. Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) Enable Interface Management Only Redundant Interface Type Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a Primary or Secondary ISP interface to be management only. Select this option to define a redundant interface. When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear. Redundant ID Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8. Primary Interface Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Secondary Interface Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces. See About Redundant Interfaces, page 39-4 for more information. Type of interface. Valid values are: Interface Settings represent a physical interface. Subinterface Settings represent a logical interface attached to the same network as its underlying physical interface. Note This option is not available when Redundant Interface is selected. 50-5

6 Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Name Hardware Port Subinterface ID Media Type Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. Supported interface names include: Inside Connects to your internal network. Must be the most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be the least secure interface. Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface. For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface. Valid values are: Ethernet0 to Ethernetn GigabitEthernet0 to GigabitEthernetn GigabitEthernets/n TenGigabitEthernets/n (ASA 5580 only) where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device. For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled. Note This option is not visible when Redundant Interface is selected. Sets the subinterface ID as an integer between 1 and The number of subinterfaces allowed depends on your platform. Note You cannot change the ID after you set it. When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface: RJ45 Port uses RJ-45 connectors. SFP Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards. 50-6

7 Chapter 50 Interfaces Page: PIX and ASA Table 50-2 IP Type Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Specifies the addressing for the interface; choose one of the following methods and provide related parameters: Static IP Provide a static IP Address and Subnet Mask that represents the security device on this interface s connected network. The IP address must be unique for each interface. The Subnet mask can be expressed in dotted decimal format (for example, ), or by entering the number of bits in the network mask (for example, 24). Do not use or for an interface connected to the network because this will stop traffic on that interface. If you omit the Subnet Mask value, a classful network is assumed. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Use DHCP Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: DHCP Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1. All routes have a value or metric that represents its priority of use. (This metric is also referred to as administrative distance. ) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use. Obtain Default Route using DHCP Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page Enable Tracking for DHCP Learned Route If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following option becomes available: Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information. 50-7

8 Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) IP Type (cont.) PPPoE (PIX and ASA 7.2+) Enables Point-to-Point Protocol over Ethernet (PPPoE) for automatic assignment of an IP address from a PPPoE server on the connected network; this option is not supported with failover. The following options become available: Note VPDN Group Name (required) Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page for more information. IP Address If provided, this static IP address is used for connection and authentication, instead of a negotiated address. Subnet Mask The subnet mask to be used in conjunction with the provided IP Address. PPPoE Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1. All routes have a value or metric that represents its priority of use. (This metric is also referred to as administrative distance. ) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use. Obtain Default Route using PPPoE Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. Enable Tracking for PPPoE Learned Route If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: Dual ISP Interface If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information. You can configure DHCP and PPPoE only on the outside interface of a security appliance. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. 50-8

9 Chapter 50 Interfaces Page: PIX and ASA Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) VLAN ID Duplex Speed Sets the VLAN ID, between 1 and Some VLAN IDs might be reserved on connected switches; see the switch documentation for more information. In multiple-context mode, you can only set the VLAN in the system configuration. Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full. Note This option is not visible when Redundant Interface is selected. Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type (set automatically for a TenGigabitEthernet interface; available only on ASA 5580) non-negotiable Note This option is not visible when Redundant Interface is selected. MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are bytes. Default is 1500 for all types except PPPoE, for which the default is For multiple context mode, set the MTU in the context configuration. Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between

10 Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Active MAC Address Standby MAC Address Roles Use this field to manually assign a private MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses. You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page Add/Edit Interface Dialog Box (ASA 5505) The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page, page Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) Enable Interface Management Only Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only

11 Chapter 50 Interfaces Page: PIX and ASA Table 50-3 Name IP Type Add/Edit Interface Dialog Box (ASA 5505) (Continued) Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications. Supported interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be least secure interface. Specifies the address type for the interface; choose one of the following methods and provide related parameters: Static IP Provide a static IP Address and Subnet Mask that represents the security device on this interface s connected network. If you omit the Subnet Mask value, a classful network is assumed. Use DHCP Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: DHCP Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. Obtain Default Route using DHCP Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page Enable Tracking for DHCP Learned Route If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available: Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.) PPPoE (PIX and ASA 7.2+) Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover. VPDN Group Name (required) Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page for more information

12 Interfaces Page: PIX and ASA Chapter 50 Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued) IP Type (cont.) IP Address If provided, this static IP address is used for connection and authentication, instead of a negotiated address. Note Subnet Mask The subnet mask to be used in conjunction with the provided IP Address. PPPoE Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. Obtain Default Route using PPPoE Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. Enable Tracking for PPPoE Learned Route If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: Dual ISP Interface If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.) You can configure DHCP and PPPoE only on the outside interface of a security appliance. MTU VLAN ID Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are bytes. Default is 1500 for all types except PPPoE, for which the default is For multiple context mode, set the MTU in the context configuration. Sets the VLAN ID, between 1 and For multiple-context mode, you can only set the VLAN ID in the system configuration

13 Chapter 50 Interfaces Page: PIX and ASA Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued) Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Block Traffic To Backup Interface Active MAC Address Standby MAC Address Roles Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between Restricts this VLAN interface from initiating contact with the VLAN chosen here. Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. Use this field to manually assign a MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. If you assign an Active MAC Address, you also can assign a Standby MAC Address. Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page

14 Interfaces Page: PIX and ASA Chapter 50 Add/Edit Interface Dialog Box (PIX 6.3) Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) Enable Interface Type Name Hardware Port IP Type Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy. You must enable a physical interface before any traffic can pass through any enabled subinterfaces. Type of VLAN interface. Valid values are: Logical VLAN is associated with a logical interface. Physical VLAN is on the same network as its underlying hardware interface. Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone (Intermediate interface). Also known as a perimeter network. Outside Connects to an external network or the Internet. Must be least secure interface. When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device. When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled. Valid values are: ethernet0 to ethernetn. gb-ethernetn. where n represents the number of network interfaces in the device. Specifies the address type for the interface. Static IP Assigns a static IP address and mask to the interface. Use DHCP Assigns a dynamic IP address and mask to the interface. Use PPPoE Provides an authenticated method of assigning an IP address to the interface. Note You can configure DHCP and PPPoE only on the outside interface of a firewall device

15 Chapter 50 Interfaces Page: PIX and ASA Table 50-4 IP Address Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type. IP address must be unique for each interface. The IP address is blank for interfaces that use dynamic addressing. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Subnet Mask Obtain Default Route using DHCP Retry Count Obtain default route using PPPoE For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list. Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, ) or by entering the number of bits in the network mask (for example, 24). Note Do not use or for an interface connected to the network because those mask values stop traffic on that interface. Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Configuring Static Routes, page Identifies the number of tries before an error is returned. Valid values are 4 through 16. Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway

16 Interfaces Page: PIX and ASA Chapter 50 Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Speed and Duplex MTU Physical VLAN ID Logical VLAN ID Lists the speed options for a physical interface; not applicable to logical interfaces. auto Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card. 10baset 10-Mbps Ethernet half-duplex. 10full 10-Mbps Ethernet full-duplex. 100basetx 100-Mbps Ethernet half-duplex. 100full 100-Mbps Ethernet full-duplex. 1000auto 1000-Mbps Ethernet to auto-negotiate full- or half -duplex. Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network. 1000full Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex. 1000full nonnegotiate 1000-Mbps Ethernet full-duplex. aui 10-Mbps Ethernet half-duplex communication with an AUI cable interface. bnc 10-Mbps Ethernet half-duplex communication with a BNC cable interface. Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly. Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are bytes. Default is 1500 for all types except PPPoE, for which the default is For a physical interface, sets the VLAN ID, between 1 and This VLAN ID must not be in use on connected devices. Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected

17 Chapter 50 Interfaces Page: PIX and ASA Table 50-4 Security Level Roles Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between 1 and 99. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page Advanced Interface Settings Dialog Box You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page: PIX and ASA, page 50-2 or ASA 5505 Ports and Interfaces Page, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Add VPND Group Dialog Box, page PPPoE Users Dialog Box, page

18 Interfaces Page: PIX and ASA Chapter 50 Table 50-5 Advanced Interface Settings Dialog Box Traffic between interfaces with same security levels PPPoE Users button VPDN Groups (PIX and ASA 7.2+) Group Name PPPoE Username PPP Authentication Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Disabled Does not allow communication between interfaces on the same security level. Inter-interface Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device. Intra-interface Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface. Both Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level. Click to access the PPPoE Users dialog box. Displays the group name. Displays the PPPoE username. Indicates the PPP Authentication method for this VPDN group: PAP CHAP MSCHAP Add VPND Group Dialog Box You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Advanced Interface Settings Dialog Box, page PPPoE Users Dialog Box, page

19 Chapter 50 Interfaces Page: PIX and ASA Table 50-6 Add VPND Group Dialog Box Group Name PPPoE Username PPP Authentication Enter the group name. Select the PPPoE username. Select the PPP Authentication method: PAP CHAP MSCHAP PPPoE Users Dialog Box You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Advanced Interface Settings Dialog Box, page Add VPND Group Dialog Box, page Add and Edit PPPoE User Dialog Boxes, page Table 50-7 PPPoE Users Dialog Box PPPoE Users (PIX and ASA 7.2+) Username Store in Local Flash Displays the PPPoE username. Indicates whether this PPPoE user account is to be stored in local flash (True or False)

20 Interfaces Page: FWSM Chapter 50 Add and Edit PPPoE User Dialog Boxes You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box, page Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Advanced Interface Settings Dialog Box, page Add VPND Group Dialog Box, page PPPoE Users Dialog Box, page Table 50-8 Add and Edit PPPoE User Dialog Boxes Username Password Confirm Store Username and Password in Local Flash Provide a name for the PPPoE user. Enter a password for this user. Re-enter the password. Select this option to store the PPPoE user information in flash memory. Interfaces Page: FWSM The FWSM Interfaces page displays the virtual interfaces (VLANs) configured on the selected Firewall Services Module. You can add or delete logical VLAN interfaces, and also enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive packets, but the configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device

21 Chapter 50 Interfaces Page: FWSM The Interfaces page settings vary based on the device version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining. To access this page, select an FWSM in Device View and then select Interfaces from the Device Policy selector. Configuring Firewall Device Interfaces, page 39-2 FWSM Add/Edit Interface Dialog Box, page Add/Edit Bridge Group Dialog Box, page Advanced Interface Settings Dialog Box, page Table 50-9 FWSM Interfaces Page Interfaces Tab Name IP Address Interface Role The name assigned to the interface. The IP address and subnet mask assigned to the interface. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Valid options include: All-Interfaces The interface is a member of the default role assigned to all interfaces. Internal This interface is a member of the default role associated with all inside interfaces. External This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page VLAN ID The VLAN to which this logical interface is assigned. Bridge Group The bridge group to which this interface is assigned (transparent mode only). Enabled Indicates if the interface is enabled: true or false. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Security Level Displays the interface security level; a value between 0 and 100. Management Only Indicates if this interface allows traffic to the security appliance for management purposes only

22 Interfaces Page: FWSM Chapter 50 Table 50-9 FWSM Interfaces Page (Continued) ASR Group A description of the interface, if provided. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Bridge Groups Tab (transparent mode only) Bridge Group The name of the bridge group. ID The identifier assigned to this bridge group. Interface A The first VLAN assigned to this bridge group. Interface B The second VLAN assigned to this bridge group. IP The management IP address assigned to the bridge group. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. The security appliance uses this address as the source address for traffic originating on the appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. A transparent firewall does not participate in IP routing. Netmask Displays the netmask for the management IP address. The description of this bridge group, if one was provided. FWSM Add/Edit Interface Dialog Box Use the Add/Edit Interface dialog box to add or edit a virtual interface. In multiple context mode, you can only add interfaces in the system configuration. See the Chapter 49, Configuring Security Contexts on Firewall Devices page to assign interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. The options appearing in the Add/Edit Interface dialog box vary based on the selected device version, and its mode (routed or transparent). You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page

23 Chapter 50 Interfaces Page: FWSM Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: FWSM, page Add/Edit Bridge Group Dialog Box, page Advanced Interface Settings Dialog Box, page Table FWSM Add/Edit Interface Dialog Box Enable Interface Management Only Name Enables this logical interface on the device. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. Sets the interface to accept traffic to the security appliance only, and not through traffic. You can assign an alphanumeric alias of up to 48 characters to the VLAN for ease of identification. However, note that Security Manager does not support named interfaces for FWSMs operating in multiple-context mode. Special interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be least secure interface. Note You cannot name more than two interfaces on an FWSM operating in transparent mode. IP Address The IP address for the interface. VLAN ID Enter the desired VLAN ID between 1 and Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration. Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between If desired, you can enter a description of the logical interface

24 Interfaces Page: FWSM Chapter 50 Table Roles ASR Group FWSM Add/Edit Interface Dialog Box (Continued) Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Add/Edit Bridge Group Dialog Box Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode. A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance. You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page Interfaces in Routed and Transparent Modes, page 39-4 Bridging Support for FWSM 3.1, page Configuring Firewall Device Interfaces, page

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration (Transparent Mode) CHAPTER 9 Completing Interface Configuration (Transparent Mode) This chapter includes tasks to complete the interface configuration for all models in transparent firewall mode. This chapter includes the

More information

Interfaces for Firepower Threat Defense

Interfaces for Firepower Threat Defense This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,

More information

Configuring Interfaces (Transparent Mode)

Configuring Interfaces (Transparent Mode) 8 CHAPTER This chapter includes tasks to complete the interface configuration in transparent firewall mode. This chapter includes the following sections: Information About Completing Interface Configuration

More information

Interfaces for Firepower Threat Defense

Interfaces for Firepower Threat Defense This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,

More information

Configuring the PPPoE Client

Configuring the PPPoE Client CHAPTER 72 This section describes how to configure the PPPoE client provided with the ASA. It includes the following topics: PPPoE Client Overview, page 72-1 Username and Password, page 72-2 Enabling PPPoE,

More information

Viewing Network Status, page 116. Configuring IPv4 or IPv6 Routing, page 116. Configuring the WAN, page 122. Configuring a VLAN, page 137

Viewing Network Status, page 116. Configuring IPv4 or IPv6 Routing, page 116. Configuring the WAN, page 122. Configuring a VLAN, page 137 Networking Using the Networking module to configure your Internet connection, VLAN, DMZ, zones, routing, Quality of Service (QoS), and related features. It includes the following sections: Viewing Network

More information

Configuring PPP over Ethernet with NAT

Configuring PPP over Ethernet with NAT CHAPTER 3 The Cisco Secure Router 520 Ethernet-to-Ethernet routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT). Multiple PCs can be connected to

More information

Starting Interface Configuration (ASA 5505)

Starting Interface Configuration (ASA 5505) CHAPTER 13 Starting Interface Configuration (ASA 5505) This chapter includes tasks for starting your interface configuration for the ASA 5505, including creating VLAN interfaces and assigning them to switch

More information

PIX/ASA: PPPoE Client Configuration Example

PIX/ASA: PPPoE Client Configuration Example PIX/ASA: PPPoE Client Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram CLI Configuration ASDM Configuration

More information

Configuring VLAN Interfaces

Configuring VLAN Interfaces CHAPTER1 The Cisco Application Control Engine (ACE) module does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign

More information

Configuring VLAN Interfaces

Configuring VLAN Interfaces CHAPTER1 The Cisco Application Control Engine (ACE) module does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign

More information

VLAN Configuration. Understanding VLANs CHAPTER

VLAN Configuration. Understanding VLANs CHAPTER CHAPTER 11 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the CGR 2010 ESM. It includes information about VLAN membership

More information

Interface Configuration Mode Commands

Interface Configuration Mode Commands Interface Configuration Mode Commands Use the mode for setting, viewing, and testing the configuration of WAAS software features on a specific interface. To enter this mode, enter the interface command

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 11 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco ME 3400 Ethernet Access switch. It includes information

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,

More information

Chapter 3 LAN Configuration

Chapter 3 LAN Configuration Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. This chapter contains the following sections

More information

Aggregate Interfaces and LACP

Aggregate Interfaces and LACP The following topics explain aggregate interface configuration and how LACP functions on managed devices: About Aggregate Interfaces, on page 1 LAG Configuration, on page 2 Link Aggregation Control Protocol

More information

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Document ID: 71118 Contents Introduction Prerequisites Requirements Components

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER 7 CHAPTER This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco MWR 2941 router. It includes information about VLAN

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 14 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN

More information

Provisioning Broadband Aggregators Topics

Provisioning Broadband Aggregators Topics CHAPTER 7 The Cisco Broadband Access Center software enables you to provision services on broadband aggregators. Provisioning occurs after you create administrative networks and network devices. See Chapter

More information

User Guide TL-R470T+/TL-R480T REV9.0.2

User Guide TL-R470T+/TL-R480T REV9.0.2 User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface

More information

Configuring PPP over Ethernet with NAT

Configuring PPP over Ethernet with NAT This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco

More information

Interface Configuration Mode Commands

Interface Configuration Mode Commands Chapter 3 CLI Commands Interface Configuration Mode Commands Use the mode for setting, viewing, and testing the configuration of WAAS software features on a specific interface. To enter this mode, enter

More information

Match-in-VRF Support for NAT

Match-in-VRF Support for NAT The feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-vpn NAT, both the local and global

More information

UIP1869V User Interface Guide

UIP1869V User Interface Guide UIP1869V User Interface Guide (Firmware version 0.1.8 and later) Table of Contents Opening the UIP1869V's Configuration Utility... 3 Connecting to Your Broadband Modem... 5 Setting up with DHCP... 5 Updating

More information

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling

More information

through ftp-map Commands

through ftp-map Commands CHAPTER 12 12-1 email Chapter 12 email To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint

More information

EtherChannel and Redundant Interfaces

EtherChannel and Redundant Interfaces This chapter tells how to configure EtherChannels and redundant interfaces. Note For multiple context mode, complete all tasks in this section in the system execution space. To change from the context

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 12 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership

More information

PT Activity 8.6.1: CCNA Skills Integration Challenge Topology Diagram

PT Activity 8.6.1: CCNA Skills Integration Challenge Topology Diagram Topology Diagram All contents are Copyright 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 7 Addressing Table for HQ Device Interface IP Address Subnet

More information

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard CHAPTER 23 This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the IE 3000 switch. It also describes how to

More information

Service Managed Gateway TM. Configuring Dual ADSL PPP with Worker Standby or Load Share Mode

Service Managed Gateway TM. Configuring Dual ADSL PPP with Worker Standby or Load Share Mode Service Managed Gateway TM Configuring Dual ADSL PPP with Worker Standby or Load Share Mode Issue 1.3 Date 15 November 2011 Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2 Readership... 3 1.3

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 11 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on your Catalyst 3550 switch. It includes information about VLAN

More information

Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router

Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router ADMINISTRATION GUIDE Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router 78-20928-02 Contents Chapter 1: Getting Started 7 Using the Getting Started Window 7 Features of the User Interface 8 Chapter

More information

Chapter 5 Advanced Configuration

Chapter 5 Advanced Configuration Chapter 5 Advanced Configuration This chapter describes how to configure the advanced features of your DG834N RangeMax TM NEXT Wireless ADSL2+ Modem Router. Configuring Advanced Security The modem router

More information

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver LevelOne FBR-1416 1W, 4L 10/100 Mbps ADSL Router User s Manual Ver 1.00-0510 Table of Contents CHAPTER 1 INTRODUCTION... 1 FBR-1416 Features... 1 Package Contents... 3 Physical Details... 3 CHAPTER 2

More information

Fundamentals of Network Security v1.1 Scope and Sequence

Fundamentals of Network Security v1.1 Scope and Sequence Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document

More information

Static NAT Mapping with HSRP

Static NAT Mapping with HSRP This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application

More information

Configuring Network Access to the GGSN

Configuring Network Access to the GGSN CHAPTER 7 This chapter describes how to configure access from the gateway GPRS support node (GGSN) to a serving GPRS support node (SGSN), public data network (PDN), and optionally to a Virtual Private

More information

Barracuda Link Balancer

Barracuda Link Balancer Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.3 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.3-111215-01-1215

More information

Configuring the Catalyst 3920

Configuring the Catalyst 3920 CHAPTER 5 Configuring the Catalyst 3920 You might not have to configure the Catalyst 3920 for it to work in your network; it is shipped with default configuration parameters and can function with these

More information

2 WAN 4LAN Medium Scale Multi-Wan QoS Router

2 WAN 4LAN Medium Scale Multi-Wan QoS Router 2 WAN 4LAN Medium Scale Multi-Wan QoS Router Load Balancing, Bandwidth Management, Network Security Management English User s Manual Index 1 Introduction... 1 2 Hardware Installation... 2 2.1 Indicators

More information

Multiple Context Mode

Multiple Context Mode This chapter describes how to configure multiple security contexts on the Cisco ASA. About Security Contexts, page 1 Licensing for, page 12 Prerequisites for, page 13 Guidelines for, page 14 Defaults for,

More information

Setting Up Virtual Routers

Setting Up Virtual Routers Virtual Routers The following topics describe how to set up virtual routers in the Firepower System: Virtual Routers, on page 1 Routed Interfaces, on page 2 Configuring Physical Routed Interfaces, on page

More information

Sample Configurations

Sample Configurations APPENDIXA This appendix illustrates and describes a number of common ways to implement the ASA, and includes the following sections: Example 1: Multiple Mode Firewall With Outside Access, page A-1 Example

More information

Multi-Homing Broadband Router. User Manual

Multi-Homing Broadband Router. User Manual Multi-Homing Broadband Router User Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel...

More information

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.

More information

Configuring Management Access

Configuring Management Access 37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how

More information

NAT Box-to-Box High-Availability Support

NAT Box-to-Box High-Availability Support The feature enables network-wide protection by making an IP network more resilient to potential link and router failures at the Network Address Translation (NAT) border. NAT box-to-box high-availability

More information

CHAPTER 7 ADVANCED ADMINISTRATION PC

CHAPTER 7 ADVANCED ADMINISTRATION PC ii Table of Contents CHAPTER 1 INTRODUCTION... 1 Broadband ADSL Router Features... 1 Package Contents... 3 Physical Details... 4 CHAPTER 2 INSTALLATION... 6 Requirements... 6 Procedure... 6 CHAPTER 3 SETUP...

More information

Broadband Router. User s Manual

Broadband Router. User s Manual Broadband Router User s Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel... 6 Setup Diagram...7

More information

Configuring Private VLANs

Configuring Private VLANs 36 CHAPTER This chapter describes private VLANs (PVLANs) on Catalyst 4500 series switches. It also provides restrictions, procedures, and configuration examples. This chapter includes the following major

More information

Firewall Mode Overview

Firewall Mode Overview CHAPTER 16 This chapter describes how to set the firewall mode, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple context

More information

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard CHAPTER 21 This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the switch. It also describes how to configure

More information

Configuring Stateful Interchassis Redundancy

Configuring Stateful Interchassis Redundancy The Stateful Interchassis Redundancy feature enables you to configure pairs of devices to act as backups for each other. This module describes conceptual information about and tasks for configuring stateful

More information

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) An Ethernet interface must be configured for optimal performance in a high-traffic network. To configure properties on a Gigabit Ethernet interface

More information

Static and Default Routes

Static and Default Routes This chapter describes how to configure static and default routes on the Cisco ASA. About, on page 1 Guidelines for, on page 3 Configure Default and Static Routes, on page 3 Monitoring a Static or Default

More information

L2TP Network Server. LNS Service Operation

L2TP Network Server. LNS Service Operation This chapter describes the support for Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) functionality on Cisco ASR 5500 chassis and explains how it is configured. The product Administration Guides

More information

Peplink Balance Multi-WAN Routers

Peplink Balance Multi-WAN Routers Peplink Balance Multi-WAN Routers Model 20/30/210/310/380/390/580/710/1350 User Manual Firmware 5.1 September 10 Copyright & Trademarks Specifications are subject to change without prior notice. Copyright

More information

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0 Configuration Guide TL-ER5120/TL-ER6020/TL-ER6120 1910012186 REV3.0.0 June 2017 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Viewing Status Information... 2 System

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management

More information

DSL/CABLE ROUTER with PRINT SERVER

DSL/CABLE ROUTER with PRINT SERVER USER S MANUAL DSL/CABLE ROUTER with PRINT SERVER MODEL No:SP888BP http://www.micronet.info 1 Content Table CHAPTER 0:INTRODUCTION... 4 FEATURES... 4 MINIMUM REQUIREMENTS... 4 PACKAGE CONTENT... 4 GET TO

More information

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features

More information

Transparent or Routed Firewall Mode

Transparent or Routed Firewall Mode This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 9 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094). It includes information about VLAN membership modes, VLAN configuration

More information

Configuring Private VLANs

Configuring Private VLANs CHAPTER 15 This chapter describes how to configure private VLANs on the Cisco 7600 series routers. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco

More information

Peplink SD Switch User Manual. Published on October 25th, 2018

Peplink SD Switch User Manual. Published on October 25th, 2018 Peplink SD Switch User Manual Published on October 25th, 2018 1 Table of Contents Switch Layout 4 Specifications 5 Hardware Overview 6 Quick Start Functions 7 Reset Switch 7 Connect Ethernet 7 Connect

More information

Multi-Function Wireless A/P Router User s Guide

Multi-Function Wireless A/P Router User s Guide Multi-Function Wireless A/P Router User s Guide Model CNWR-811P Wireless Access Point Router W / Printer Sharing TABLE OF CONTENTS CHAPTER 1 INTRODUCTION...1 CNWR-811P Features...1 Package Contents...3

More information

Configuring Interfaces

Configuring Interfaces Network Configuring Interfaces Configuring PortShield Interfaces Configuring Wire Mode VLAN Translation Setting Up Failover and Load Balancing Configuring Network Zones Configuring DNS Settings Configuring

More information

Cisco CP Express Wizard

Cisco CP Express Wizard CHAPTER1 These help topics introduce Cisco Configuration Professional Express (Cisco CP Express) wizard, describe the configurations you can perform with it, and explain the information required in each

More information

RX3041. User's Manual

RX3041. User's Manual RX3041 User's Manual Table of Contents 1 Introduction... 2 1.1 Features and Benefits... 3 1.2 Package Contents... 3 1.3 Finding Your Way Around... 4 1.4 System Requirements... 6 1.5 Installation Instruction...

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 10 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership

More information

Cisco IOS Commands. abort CHAPTER

Cisco IOS Commands. abort CHAPTER CHAPTER 2 abort Use the abort VLAN database command to abandon the proposed new VLAN database, exit VLAN database mode, and return to privileged EXEC mode. abort This command has no arguments or keywords.

More information

ASA/PIX Security Appliance

ASA/PIX Security Appliance I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail

More information

Configuring Private VLANs

Configuring Private VLANs 36 CHAPTER This chapter describes private VLANs (PVLANs) on Catalyst 4500 series switches. It also provides restrictions, procedures, and configuration examples. This chapter includes the following major

More information

07/ CONFIGURING SECURITY SETTINGS

07/ CONFIGURING SECURITY SETTINGS SECURITY LOG Malformed packet: Failed parsing a packed has been blocked because it is malformed. Maximum security enabled service a packet has been accepted because it belongs to a permitted service in

More information

User module. Guest Configuration APPLICATION NOTE

User module. Guest Configuration APPLICATION NOTE User module Guest Configuration APPLICATION NOTE USED SYMBOLS Used symbols Danger important notice, which may have an influence on the user s safety or the function of the device. Attention notice on possible

More information

OV504R6. Quick Start Guide

OV504R6. Quick Start Guide OV504R6 Quick Start Guide 1 Overview The router is a highly ADSL2/2+ Integrated Access Device and can support ADSL link with downstream up to 24 Mbps and upstream up to 1 Mbps. It is designed to provide

More information

Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel...

Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel... Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel... 4 Front Panel... 5 Setup Diagram... 6 Getting started... 7 Chapter

More information

Managing Firewall Services

Managing Firewall Services CHAPTER 11 Firewall Services manages firewall-related policies in Security Manager that apply to the Adaptive Security Appliance (ASA), PIX Firewall (PIX), Catalyst Firewall Services Module (FWSM), and

More information

Stateful Failover Technology White Paper

Stateful Failover Technology White Paper Stateful Failover Technology White Paper Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization, link switching Abstract: A firewall device is usually the access point

More information

Sample Configurations

Sample Configurations APPENDIXB This appendix illustrates and describes a number of common ways to implement the security appliance, and includes the following topics: Example 1: Multiple Mode Firewall With Outside Access,

More information

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs Finding Feature Information, page 1 Prerequisites for VLANs, page 1 Restrictions for VLANs, page 2 Information About VLANs, page 2 How to Configure VLANs, page 7 Monitoring VLANs, page 19 Where to Go Next,

More information

CISCO EXAM QUESTIONS & ANSWERS

CISCO EXAM QUESTIONS & ANSWERS CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco

More information

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE Modified 2017-07-10 TestOut Routing and Switching Pro Outline- English 6.0.x Videos: 133 (15:42:34) Demonstrations: 78 (7:22:19) Simulations:

More information

Configuring Gigabit Ethernet Interfaces

Configuring Gigabit Ethernet Interfaces This chapter explains how to configure the Gigabit Ethernet (GE) interface on the Cisco ASR 901 router. Configuring the Interface, page 1 Setting the Speed and Duplex Mode, page 2 Enabling the Interface,

More information

Chapter 3 LAN Configuration

Chapter 3 LAN Configuration Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50. These features can be found under the Network

More information

Troubleshooting DHCP server configuration 28

Troubleshooting DHCP server configuration 28 Contents DHCP overview 1 Introduction to DHCP 1 DHCP address allocation 1 Allocation mechanisms 1 Dynamic IP address allocation process 2 IP address lease extension 2 DHCP message format 3 DHCP options

More information

DHCP and DDNS Services for Threat Defense

DHCP and DDNS Services for Threat Defense The following topics explain DHCP and DDNS services and how to configure them on Threat Defense devices. About DHCP and DDNS Services, on page 1 Guidelines for DHCP and DDNS Services, on page 3 Configure

More information

MPLS VPN Half-Duplex VRF

MPLS VPN Half-Duplex VRF The feature provides scalable hub-and-spoke connectivity for subscribers of an Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service. This feature addresses the limitations of hub-and-spoke

More information

Carrier Grade Network Address Translation

Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into

More information

vsphere Networking Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 EN

vsphere Networking Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 EN Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check

More information

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND) 100-105.exam Number: 100-105 Passing Score: 800 Time Limit: 120 min CISCO 100-105 Interconnecting Cisco Networking Devices Part 1 (ICND) Exam A QUESTION 1 Which route source code represents the routing

More information

Configuring Port Channels

Configuring Port Channels CHAPTER 5 This chapter describes how to configure port channels and to apply and configure the Link Aggregation Control Protocol (LACP) for more efficient use of port channels in Cisco DCNM. For more information

More information

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights

More information

Configuring Web-Based Authentication

Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure

More information

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM This feature module describes the PPP over Ethernet (PPPoE) on ATM feature. The feature provides the ability to connect a network of hosts over a simple bridging-access device to a remote access concentrator.

More information

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ Networking for Data Acquisition Systems Fabrice Le Goff - 14/02/2018 - ISOTDAQ Outline Generalities The OSI Model Ethernet and Local Area Networks IP and Routing TCP, UDP and Transport Efficiency Networking

More information

Content 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE...

Content 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE... Content 1 OVERVIEW...1 1.1FEATURES...1 1.2 PACKETCONTENTS...3 1.3 SYSTEM REQUIREMENTS... 1.4 FACTORY DEFAULTS...4 1.5 WARNINGS AND CAUTIONS...4 2 HARDWARE DESCRIPTION... 6 3 HARDWARE INSTALLATION...8 4

More information