PIX/ASA/FWSM Platform User Interface Reference

Similar documents
Completing Interface Configuration (Transparent Mode)

Interfaces for Firepower Threat Defense

Configuring Interfaces (Transparent Mode)

Interfaces for Firepower Threat Defense

Configuring the PPPoE Client

Viewing Network Status, page 116. Configuring IPv4 or IPv6 Routing, page 116. Configuring the WAN, page 122. Configuring a VLAN, page 137

Configuring PPP over Ethernet with NAT

Starting Interface Configuration (ASA 5505)

PIX/ASA: PPPoE Client Configuration Example

Configuring VLAN Interfaces

Configuring VLAN Interfaces

VLAN Configuration. Understanding VLANs CHAPTER

Interface Configuration Mode Commands

Configuring VLANs. Understanding VLANs CHAPTER

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

Chapter 3 LAN Configuration

Aggregate Interfaces and LACP

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER

Provisioning Broadband Aggregators Topics

User Guide TL-R470T+/TL-R480T REV9.0.2

Configuring PPP over Ethernet with NAT

Interface Configuration Mode Commands

Match-in-VRF Support for NAT

UIP1869V User Interface Guide

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

through ftp-map Commands

EtherChannel and Redundant Interfaces

Configuring VLANs. Understanding VLANs CHAPTER

PT Activity 8.6.1: CCNA Skills Integration Challenge Topology Diagram

Configuring DHCP Features and IP Source Guard

Service Managed Gateway TM. Configuring Dual ADSL PPP with Worker Standby or Load Share Mode

Configuring VLANs. Understanding VLANs CHAPTER

Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router

Chapter 5 Advanced Configuration

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

Fundamentals of Network Security v1.1 Scope and Sequence

Static NAT Mapping with HSRP

Configuring Network Access to the GGSN

Barracuda Link Balancer

Configuring the Catalyst 3920

2 WAN 4LAN Medium Scale Multi-Wan QoS Router

Multiple Context Mode

Setting Up Virtual Routers

Sample Configurations

Multi-Homing Broadband Router. User Manual

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Configuring Management Access

NAT Box-to-Box High-Availability Support

CHAPTER 7 ADVANCED ADMINISTRATION PC

Broadband Router. User s Manual

Configuring Private VLANs

Firewall Mode Overview

Configuring DHCP Features and IP Source Guard

Configuring Stateful Interchassis Redundancy

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

Static and Default Routes

L2TP Network Server. LNS Service Operation

Peplink Balance Multi-WAN Routers

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Device Management Basics

DSL/CABLE ROUTER with PRINT SERVER

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Transparent or Routed Firewall Mode

Configuring VLANs. Understanding VLANs CHAPTER

Configuring Private VLANs

Peplink SD Switch User Manual. Published on October 25th, 2018

Multi-Function Wireless A/P Router User s Guide

Configuring Interfaces

Cisco CP Express Wizard

RX3041. User's Manual

Configuring VLANs. Understanding VLANs CHAPTER

Cisco IOS Commands. abort CHAPTER

ASA/PIX Security Appliance

Configuring Private VLANs

07/ CONFIGURING SECURITY SETTINGS

User module. Guest Configuration APPLICATION NOTE

OV504R6. Quick Start Guide

Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel...

Managing Firewall Services

Stateful Failover Technology White Paper

Sample Configurations

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

CISCO EXAM QUESTIONS & ANSWERS

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Configuring Gigabit Ethernet Interfaces

Chapter 3 LAN Configuration

Troubleshooting DHCP server configuration 28

DHCP and DDNS Services for Threat Defense

MPLS VPN Half-Duplex VRF

Carrier Grade Network Address Translation

vsphere Networking Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 EN

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

Configuring Port Channels

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Configuring Web-Based Authentication

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

Content 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE...

Transcription:

CHAPTER 50 PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs). These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration. Interfaces Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page 50-20 ASA 5505 Ports and Interfaces Page, page 50-25 Platform Bridging, page 50-29 ARP Table Page, page 50-30 ARP Inspection Page, page 50-31 MAC Address Table Page, page 50-33 MAC Learning Page, page 50-34 Management IP Page, page 50-36 Device Admin AAA Page, page 50-36 Authentication Tab, page 50-37 Authorization Tab, page 50-38 Accounting Tab, page 50-38 Banner Page, page 50-40 Boot Image/Configuration Page, page 50-41 Clock Page, page 50-42 Credentials Page, page 50-44 CPU Threshold Page, page 50-44 50-1

Interfaces Page: PIX and ASA Chapter 50 Interfaces Page: PIX and ASA The Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them. Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic. If you bootstrapped a new security device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device. The Interfaces page settings vary based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring. To access the Interfaces page, select a security device in Device View and then select Interfaces from the Device Policy selector. Configuring Firewall Device Interfaces, page 39-2 Using the Add/Edit Interface Dialog Box, page 39-7 Table 50-1 Interfaces Page Interfaces Table Interface Type Name IP Address IP Address Type The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are: Ethernet GigabitEthernet TenGigabitEthernet (ASA 5580 only) Redundant The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by.n, where n is the subinterface number. The IP address of the interface, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. The method by which the IP address is provided. Valid options are: static The IP address is manually defined. dhcp The IP address is obtained via a DHCP lease. pppoe The IP address is obtained using PPPoE. 50-2

Chapter 50 Interfaces Page: PIX and ASA Table 50-1 Interfaces Page (Continued) Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Valid options include: All-Interfaces The interface is a member of the default role assigned to all interfaces. Internal This interface is a member of the default role associated with all inside interfaces. External This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55. Hardware Port Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed. For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated. Enabled Indicates if the interface is enabled: true or false. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. VLAN ID For a subinterface, this is the VLAN ID, an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration. If this value is not specified, the column displays native. Security Level The interface security level; a value between 0 and 100. Management Only Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false. MTU The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is 1500. Member Indicates whether this interface is a member of a redundant interface pair: true or false. 50-3

Interfaces Page: PIX and ASA Chapter 50 Table 50-1 ASR Group Interfaces Page (Continued) A description of the interface. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Add/Edit Interface Dialog Box Use the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 39-4 for more information about redundant interfaces. You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained. In multiple-context mode, you can only add interfaces in the system configuration. See the Chapter 49, Configuring Security Contexts on Firewall Devices page for information about assigning interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information: Add/Edit Interface Dialog Box (PIX/ASA), page 50-5 Add/Edit Interface Dialog Box (ASA 5505), page 50-10 Add/Edit Interface Dialog Box (PIX 6.3), page 50-14 You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page: PIX and ASA, page 50-2. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 ASA 5505 Ports and Interfaces Page, page 50-25 Advanced Interface Settings Dialog Box, page 50-17 Add VPND Group Dialog Box, page 50-18 PPPoE Users Dialog Box, page 50-19 50-4

Chapter 50 Interfaces Page: PIX and ASA Add/Edit Interface Dialog Box (PIX/ASA) The Add/Edit Interface dialog box is used to define and configure interfaces. Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) Enable Interface Management Only Redundant Interface Type Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a Primary or Secondary ISP interface to be management only. Select this option to define a redundant interface. When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear. Redundant ID Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8. Primary Interface Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Secondary Interface Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces. See About Redundant Interfaces, page 39-4 for more information. Type of interface. Valid values are: Interface Settings represent a physical interface. Subinterface Settings represent a logical interface attached to the same network as its underlying physical interface. Note This option is not available when Redundant Interface is selected. 50-5

Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Name Hardware Port Subinterface ID Media Type Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. Supported interface names include: Inside Connects to your internal network. Must be the most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be the least secure interface. Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface. For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface. Valid values are: Ethernet0 to Ethernetn GigabitEthernet0 to GigabitEthernetn GigabitEthernets/n TenGigabitEthernets/n (ASA 5580 only) where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device. For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled. Note This option is not visible when Redundant Interface is selected. Sets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. Note You cannot change the ID after you set it. When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface: RJ45 Port uses RJ-45 connectors. SFP Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards. 50-6

Chapter 50 Interfaces Page: PIX and ASA Table 50-2 IP Type Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Specifies the addressing for the interface; choose one of the following methods and provide related parameters: Static IP Provide a static IP Address and Subnet Mask that represents the security device on this interface s connected network. The IP address must be unique for each interface. The Subnet mask can be expressed in dotted decimal format (for example, 255.255.255.0), or by entering the number of bits in the network mask (for example, 24). Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface. If you omit the Subnet Mask value, a classful network is assumed. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Use DHCP Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: DHCP Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1. All routes have a value or metric that represents its priority of use. (This metric is also referred to as administrative distance. ) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use. Obtain Default Route using DHCP Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page 46-34. Enable Tracking for DHCP Learned Route If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following option becomes available: Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information. 50-7

Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) IP Type (cont.) PPPoE (PIX and ASA 7.2+) Enables Point-to-Point Protocol over Ethernet (PPPoE) for automatic assignment of an IP address from a PPPoE server on the connected network; this option is not supported with failover. The following options become available: Note VPDN Group Name (required) Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 39-16 for more information. IP Address If provided, this static IP address is used for connection and authentication, instead of a negotiated address. Subnet Mask The subnet mask to be used in conjunction with the provided IP Address. PPPoE Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1. All routes have a value or metric that represents its priority of use. (This metric is also referred to as administrative distance. ) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use. Obtain Default Route using PPPoE Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. Enable Tracking for PPPoE Learned Route If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: Dual ISP Interface If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information. You can configure DHCP and PPPoE only on the outside interface of a security appliance. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. 50-8

Chapter 50 Interfaces Page: PIX and ASA Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) VLAN ID Duplex Speed Sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches; see the switch documentation for more information. In multiple-context mode, you can only set the VLAN in the system configuration. Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full. Note This option is not visible when Redundant Interface is selected. Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type. 10 100 1000 10000 (set automatically for a TenGigabitEthernet interface; available only on ASA 5580) non-negotiable Note This option is not visible when Redundant Interface is selected. MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300 65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration. Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between 1-99. 50-9

Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Active MAC Address Standby MAC Address Roles Use this field to manually assign a private MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses. You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55. Add/Edit Interface Dialog Box (ASA 5505) The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page, page 50-25. Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) Enable Interface Management Only Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only. 50-10

Chapter 50 Interfaces Page: PIX and ASA Table 50-3 Name IP Type Add/Edit Interface Dialog Box (ASA 5505) (Continued) Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications. Supported interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be least secure interface. Specifies the address type for the interface; choose one of the following methods and provide related parameters: Static IP Provide a static IP Address and Subnet Mask that represents the security device on this interface s connected network. If you omit the Subnet Mask value, a classful network is assumed. Use DHCP Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: DHCP Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. Obtain Default Route using DHCP Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page 46-34. Enable Tracking for DHCP Learned Route If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available: Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.) PPPoE (PIX and ASA 7.2+) Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover. VPDN Group Name (required) Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 39-16 for more information. 50-11

Interfaces Page: PIX and ASA Chapter 50 Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued) IP Type (cont.) IP Address If provided, this static IP address is used for connection and authentication, instead of a negotiated address. Note Subnet Mask The subnet mask to be used in conjunction with the provided IP Address. PPPoE Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. Obtain Default Route using PPPoE Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. Enable Tracking for PPPoE Learned Route If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: Dual ISP Interface If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.) You can configure DHCP and PPPoE only on the outside interface of a security appliance. MTU VLAN ID Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration. Sets the VLAN ID, between 1 and 4090. For multiple-context mode, you can only set the VLAN ID in the system configuration. 50-12

Chapter 50 Interfaces Page: PIX and ASA Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued) Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Block Traffic To Backup Interface Active MAC Address Standby MAC Address Roles Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between 1-99. Restricts this VLAN interface from initiating contact with the VLAN chosen here. Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. Use this field to manually assign a MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. If you assign an Active MAC Address, you also can assign a Standby MAC Address. Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55. 50-13

Interfaces Page: PIX and ASA Chapter 50 Add/Edit Interface Dialog Box (PIX 6.3) Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) Enable Interface Type Name Hardware Port IP Type Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy. You must enable a physical interface before any traffic can pass through any enabled subinterfaces. Type of VLAN interface. Valid values are: Logical VLAN is associated with a logical interface. Physical VLAN is on the same network as its underlying hardware interface. Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone (Intermediate interface). Also known as a perimeter network. Outside Connects to an external network or the Internet. Must be least secure interface. When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device. When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled. Valid values are: ethernet0 to ethernetn. gb-ethernetn. where n represents the number of network interfaces in the device. Specifies the address type for the interface. Static IP Assigns a static IP address and mask to the interface. Use DHCP Assigns a dynamic IP address and mask to the interface. Use PPPoE Provides an authenticated method of assigning an IP address to the interface. Note You can configure DHCP and PPPoE only on the outside interface of a firewall device. 50-14

Chapter 50 Interfaces Page: PIX and ASA Table 50-4 IP Address Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type. IP address must be unique for each interface. The IP address is blank for interfaces that use dynamic addressing. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Subnet Mask Obtain Default Route using DHCP Retry Count Obtain default route using PPPoE For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list. Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24). Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface. Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Configuring Static Routes, page 46-34. Identifies the number of tries before an error is returned. Valid values are 4 through 16. Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway. 50-15

Interfaces Page: PIX and ASA Chapter 50 Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Speed and Duplex MTU Physical VLAN ID Logical VLAN ID Lists the speed options for a physical interface; not applicable to logical interfaces. auto Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card. 10baset 10-Mbps Ethernet half-duplex. 10full 10-Mbps Ethernet full-duplex. 100basetx 100-Mbps Ethernet half-duplex. 100full 100-Mbps Ethernet full-duplex. 1000auto 1000-Mbps Ethernet to auto-negotiate full- or half -duplex. Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network. 1000full Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex. 1000full nonnegotiate 1000-Mbps Ethernet full-duplex. aui 10-Mbps Ethernet half-duplex communication with an AUI cable interface. bnc 10-Mbps Ethernet half-duplex communication with a BNC cable interface. Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly. Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices. Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected. 50-16

Chapter 50 Interfaces Page: PIX and ASA Table 50-4 Security Level Roles Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between 1 and 99. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55. Advanced Interface Settings Dialog Box You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page: PIX and ASA, page 50-2 or ASA 5505 Ports and Interfaces Page, page 50-25. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page 50-20 ASA 5505 Ports and Interfaces Page, page 50-25 Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page 50-22 Add VPND Group Dialog Box, page 50-18 PPPoE Users Dialog Box, page 50-19 50-17

Interfaces Page: PIX and ASA Chapter 50 Table 50-5 Advanced Interface Settings Dialog Box Traffic between interfaces with same security levels PPPoE Users button VPDN Groups (PIX and ASA 7.2+) Group Name PPPoE Username PPP Authentication Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Disabled Does not allow communication between interfaces on the same security level. Inter-interface Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device. Intra-interface Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface. Both Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level. Click to access the PPPoE Users dialog box. Displays the group name. Displays the PPPoE username. Indicates the PPP Authentication method for this VPDN group: PAP CHAP MSCHAP Add VPND Group Dialog Box You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page 50-17. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page 50-20 ASA 5505 Ports and Interfaces Page, page 50-25 Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page 50-22 Advanced Interface Settings Dialog Box, page 50-17 PPPoE Users Dialog Box, page 50-19 50-18

Chapter 50 Interfaces Page: PIX and ASA Table 50-6 Add VPND Group Dialog Box Group Name PPPoE Username PPP Authentication Enter the group name. Select the PPPoE username. Select the PPP Authentication method: PAP CHAP MSCHAP PPPoE Users Dialog Box You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page 50-17. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box, page 50-18. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page 50-20 ASA 5505 Ports and Interfaces Page, page 50-25 Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page 50-22 Advanced Interface Settings Dialog Box, page 50-17 Add VPND Group Dialog Box, page 50-18 Add and Edit PPPoE User Dialog Boxes, page 50-20 Table 50-7 PPPoE Users Dialog Box PPPoE Users (PIX and ASA 7.2+) Username Store in Local Flash Displays the PPPoE username. Indicates whether this PPPoE user account is to be stored in local flash (True or False). 50-19

Interfaces Page: FWSM Chapter 50 Add and Edit PPPoE User Dialog Boxes You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box, page 50-19. Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page 50-20 ASA 5505 Ports and Interfaces Page, page 50-25 Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page 50-22 Advanced Interface Settings Dialog Box, page 50-17 Add VPND Group Dialog Box, page 50-18 PPPoE Users Dialog Box, page 50-19 Table 50-8 Add and Edit PPPoE User Dialog Boxes Username Password Confirm Store Username and Password in Local Flash Provide a name for the PPPoE user. Enter a password for this user. Re-enter the password. Select this option to store the PPPoE user information in flash memory. Interfaces Page: FWSM The FWSM Interfaces page displays the virtual interfaces (VLANs) configured on the selected Firewall Services Module. You can add or delete logical VLAN interfaces, and also enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive packets, but the configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device. 50-20

Chapter 50 Interfaces Page: FWSM The Interfaces page settings vary based on the device version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining. To access this page, select an FWSM in Device View and then select Interfaces from the Device Policy selector. Configuring Firewall Device Interfaces, page 39-2 FWSM Add/Edit Interface Dialog Box, page 50-22 Add/Edit Bridge Group Dialog Box, page 50-24 Advanced Interface Settings Dialog Box, page 50-17 Table 50-9 FWSM Interfaces Page Interfaces Tab Name IP Address Interface Role The name assigned to the interface. The IP address and subnet mask assigned to the interface. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Valid options include: All-Interfaces The interface is a member of the default role assigned to all interfaces. Internal This interface is a member of the default role associated with all inside interfaces. External This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55. VLAN ID The VLAN to which this logical interface is assigned. Bridge Group The bridge group to which this interface is assigned (transparent mode only). Enabled Indicates if the interface is enabled: true or false. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Security Level Displays the interface security level; a value between 0 and 100. Management Only Indicates if this interface allows traffic to the security appliance for management purposes only. 50-21

Interfaces Page: FWSM Chapter 50 Table 50-9 FWSM Interfaces Page (Continued) ASR Group A description of the interface, if provided. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Bridge Groups Tab (transparent mode only) Bridge Group The name of the bridge group. ID The identifier assigned to this bridge group. Interface A The first VLAN assigned to this bridge group. Interface B The second VLAN assigned to this bridge group. IP The management IP address assigned to the bridge group. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. The security appliance uses this address as the source address for traffic originating on the appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. A transparent firewall does not participate in IP routing. Netmask Displays the netmask for the management IP address. The description of this bridge group, if one was provided. FWSM Add/Edit Interface Dialog Box Use the Add/Edit Interface dialog box to add or edit a virtual interface. In multiple context mode, you can only add interfaces in the system configuration. See the Chapter 49, Configuring Security Contexts on Firewall Devices page to assign interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. The options appearing in the Add/Edit Interface dialog box vary based on the selected device version, and its mode (routed or transparent). You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page 50-20. 50-22

Chapter 50 Interfaces Page: FWSM Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: FWSM, page 50-20 Add/Edit Bridge Group Dialog Box, page 50-24 Advanced Interface Settings Dialog Box, page 50-17 Table 50-10 FWSM Add/Edit Interface Dialog Box Enable Interface Management Only Name Enables this logical interface on the device. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. Sets the interface to accept traffic to the security appliance only, and not through traffic. You can assign an alphanumeric alias of up to 48 characters to the VLAN for ease of identification. However, note that Security Manager does not support named interfaces for FWSMs operating in multiple-context mode. Special interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be least secure interface. Note You cannot name more than two interfaces on an FWSM operating in transparent mode. IP Address The IP address for the interface. VLAN ID Enter the desired VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration. Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between 1-99. If desired, you can enter a description of the logical interface. 50-23

Interfaces Page: FWSM Chapter 50 Table 50-10 Roles ASR Group FWSM Add/Edit Interface Dialog Box (Continued) Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55. To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Add/Edit Bridge Group Dialog Box Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode. A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance. You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page 50-20. Interfaces in Routed and Transparent Modes, page 39-4 Bridging Support for FWSM 3.1, page 39-19 Configuring Firewall Device Interfaces, page 39-2 50-24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback