Setting the Management IP Address for a Transparent Firewall (8.3 and Earlier)
This section describes how to configure the management IP address for transparent firewall mode, and includes the following topics:
Configuring the IPv4 Address
This section tells how to configure the IPv4 address.
Detailed Steps
Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.
Step 2 In the IPv4 Address area, enter the IP address in the Management IP Address field.
This address must be on the same subnet as the upstream and downstream routers. You cannot set the subnet to a host subnet (255.255.255.255). The standby keyword and address is used for failover.
Step 3 From the Subnet Mask drop-down list, choose a subnet mask, or enter a subnet mask directly in the field.
Step 4 Click Apply .
Configuring the IPv6 Address
This section describes how to configure the global address or the link-local address, and includes the following topics:
Information About IPv6
This section includes information about how to configure IPv6, and includes the following topics:
IPv6 Addressing
You can configure two types of unicast addresses for IPv6:
- Global—The global address is a public address that you can use on the public network. This address needs to be configured per device or context, and not per-interface. You can also configure a global IPv6 address for the management interface.
- Link-local—The link-local address is a private address that you can only use on the directly-connected network. Routers do not forward packets using link-local addresses; they are only for communication on a particular physical network segment. They can be used for address configuration or for the ND functions such as address resolution and neighbor discovery. Because the link-local address is only available on a segment, and is tied to the interface MAC address, you need to configure the link-local address per interface.
At a minimum, you need to configure a link-local address for IPv6 to operate. If you configure a global address, a link-local addresses is automatically configured on each interface, so you do not also need to specifically configure a link-local address. If you do not configure a global address, then you need to configure the link-local address, either automatically or manually.
Duplicate Address Detection
During the stateless autoconfiguration process, duplicate address detection (DAD) verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface.
Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated:
%ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface
If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used. However, all configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
The ASA uses neighbor solicitation messages to perform duplicate address detection. By default, the number of times an interface performs duplicate address detection is 1.
Modified EUI-64 Interface IDs
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits long and be constructed in Modified EUI-64 format. The ASA can enforce this requirement for hosts attached to the local link.
When this feature is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated:
%ASA-3-325003: EUI-64 source address check failed.
The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address.
Unsupported Commands
The following IPv6 commands are not supported in transparent firewall mode, because they require router capabilities:
- ipv6 address autoconfig
- ipv6 nd prefix
- ipv6 nd ra-interval
- ipv6 nd ra-lifetime
- ipv6 nd suppress-ra
The ipv6 local pool VPN command is not supported, because transparent mode does not support VPN.
Configuring the Global Address
To set the management IPv6 address, perform the following steps.
Detailed Steps
Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.
Step 2 In the IPv6 Addresses area, click Add .
The Add IPv6 Management Address dialog box appears.
Step 3 In the IP Address field, enter an IPv6 address.
For example, 2001:0DB8::BA98:0:3210. See the “IPv6 Addresses” section for more information about IPv6 addressing.
Step 4 In the Prefix Length field, enter the prefix length.
For example, 48. See the “IPv6 Addresses” section for more information about IPv6 addressing.
Step 5 Click OK .
Step 6 To configure additional addresses, repeat Step 2 through Step 5.
Step 7 Click Apply .
Configuring the Link-Local Addresses Automatically
If you only need to configure a link-local address and are not going to assign any other IPv6 addresses, you have the option of generating the link-local addresses based on the interface MAC addresses (Modified EUI-64 format).
Detailed Steps
Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.
Step 2 In the IPv6 configuration area, check Enable IPv6 .
This option enables IPv6 on all interfaces and automatically generates the link-local addresses using the Modified EUI-64 interface ID based on the interface MAC address.
Note You do not need to check this option if you configure any IPv6 addresses (either global or link-local); IPv6 support is automatically enabled as soon as you assign an IPv6 address. Similarly, unchecking this option does not disable IPv6 if you configured IPv6 addresses.
To configure IPv6 DAD parameters, shown in this area, see the “Configuring DAD Settings” section.
Step 3 Click Apply .
Configuring the Link-Local Address on an Interface Manually
If you only need to configure a link-local address and are not going to assign any other IPv6 addresses, you have the option of manually defining the link-local address.
Detailed Steps
Step 1 Choose the Configuration > Device Setup > Interfaces pane.
Step 2 Select an interface, and click Edit .
The Edit Interface dialog box appears with the General tab selected.
Step 3 Click the IPv6 tab.
Step 4 (Optional) To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, check the Enforce EUI-64 check box.
If the interface identifiers do not conform to the modified EUI-64 format, an error message appears. See the “Modified EUI-64 Interface IDs” section for more information.
Step 5 To set the link-local address, enter an address in the Link-local address field.
A link-local address should start with FE8, FE9, FEA, or FEB, for example fe80::20d:88ff:feee:6a82. See the “IPv6 Addresses” section for more information about IPv6 addressing.
Step 6 Click OK .
Configuring DAD Settings
DAD verifies the uniqueness of new unicast IPv6 addresses before they are assigned and ensures that duplicate IPv6 addresses are detected in the network on a link basis.
For information about the Enable IPv6 parameter, see the “Configuring the Link-Local Addresses Automatically” section.
Detailed Steps
Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.
Step 2 In the IPv6 configuration area, in the DAD attempts field, enter the number of allowed DAD attempts.
This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. Valid values are from 0 to 600. A zero value disables DAD processing on the specified interface. The default is one message.
Step 3 In the NS Interval field, enter the neighbor solicitation message interval.
The neighbor solicitation message requests the link-layer address of a target node. Valid values are from 1000 to 3600000 milliseconds. The default is 1000 milliseconds.
Step 4 In the Reachable Time field, enter the amount of time in seconds that a remote IPv6 node is considered reachable after a leachability confirmation event has occurred.
Valid values are from 1000 to 3600000 milliseconds. The default is zero. A configured time enables the detection of unavailable neighbors. Shorter times enable detection more quickly; however, very short configured times are not recommended in normal IPv6 operation.
Step 5 Click Apply .
Completing Interface Configuration in Transparent Mode (8.3 and Earlier)
This section includes tasks to complete the interface configuration for all models in transparent mode.
Note For multiple context mode, complete the tasks in this section in the context execution space. In the Configuration > Device List pane, double-click the context name under the active device IP address.
This section includes the following topics:
Configuring General Interface Parameters
This procedure describes how to set the name, security level, and bridge group for each transparent interface.
To configure a separate management interface, see the “Configuring a Management Interface (ASA 5510 and Higher)” section.
For the ASA 5510 and higher, you must configure interface parameters for the following interface types:
- Physical interfaces
- VLAN subinterfaces
- Redundant interfaces
For the ASA 5505, you must configure interface parameters for the following interface types:
Guidelines and Limitations
- You can configure up to two interfaces per context.
- For the ASA 5550 ASA, for maximum throughput, be sure to balance your traffic over the two interface slots; for example, assign the inside interface to slot 1 and the outside interface to slot 0.
- For information about security levels, see the “Security Levels” section.
- If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See “Configuring Failover,” to configure the failover and state links.
Detailed Steps
Step 1 Choose the Configuration > Device Setup > Interfaces pane.
In multiple context mode, only interfaces that were assigned to the context in the System execution space appear in the table.
Step 2 Choose the row for an interface, and click Edit .
The Edit Interface dialog box appears with the General tab selected.
Step 3 In the Interface Name field, enter a name up to 48 characters in length.
Step 4 In the Security level field, enter a level between 0 (lowest) and 100 (highest).
See the “Security Levels” section for more information.
Step 5 If the interface is not already enabled, check the Enable Interface check box.
Step 6 (Optional) In the Description field, enter a description for this interface.
The description can be up to 240 characters on a single line, without carriage returns. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
Note (ASA 5510 and higher, single mode) For information about the Configure Hardware Properties button, see the “Enabling the Physical Interface and Configuring Ethernet Parameters” section.
Step 7 Click OK .
Configuring a Management Interface (ASA 5510 and Higher)
You can configure one management interface separate from the network interfaces in single mode or per context. You can use the Management slot / port interface (either the physical interface or a subinterface) as a separate management interface. You cannot use any other interface type as a management interface. For more information, see the “Management Interface” section.
This section includes the following topics:
Configuring General Parameters and the IPv4 Address
This section describes how to configure the name, security level, and IPv4 address for a management interface.
Detailed Steps
Step 1 Choose the Configuration > Device Setup > Interfaces pane.
In multiple context mode, only interfaces that were assigned to the context in the System execution space appear in the table.
Step 2 Choose the row for a Management interface or subinterface and click Edit .
The Edit Interface dialog box appears with the General tab selected.
Step 3 In the Interface Name field, enter a name up to 48 characters in length.
Step 4 In the Security level field, enter a level between 0 (lowest) and 100 (highest).
See the “Security Levels” section for more information.
Note The Dedicate this interface to management only check box is enabled by default and is non-configurable.
Step 5 If the interface is not already enabled, check the Enable Interface check box.
Step 6 To set the IP address, use one of the following options.
Note For use with failover, you must set the IP address and standby address manually; DHCP is not supported. Set the standby IP addresses on the Configuration > Device Management > High Availability > Failover > Interfaces tab.
- To set the IP address manually, click the Use Static IP radio button and enter the IP address and mask.
- To obtain an IP address from a DHCP server, click the Obtain Address via DHCP radio button.
a. To force a MAC address to be stored inside a DHCP request packet for option 61, click the Use MAC Address radio button.
Some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned.
b. To use a generated string for option 61, click Use “Cisco-<MAC>-<interface_name>-<host>” .
c. (Optional) To obtain the default route from the DHCP server, check Obtain Default Route Using DHCP .
d. (Optional) To set the broadcast flag to 1 in the DHCP packet header when the DHCP client sends a discover requesting an IP address, check Enable DHCP Broadcast flag for DHCP request and discover messages .
The DHCP server listens to this broadcast flag and broadcasts the reply packet if the flag is set to 1.
e. (Optional) To renew the lease, click Renew DHCP Lease .
Step 7 (Optional) In the Description field, enter a description for this interface.
The description can be up to 240 characters on a single line, without carriage returns.
Note (ASA 5510 and higher, single mode) For information about the Configure Hardware Properties button, see the “Enabling the Physical Interface and Configuring Ethernet Parameters” section.
Step 8 Click OK .
Configuring a Global IPv6 Address and Other Options
To configure a global IPv6 address and other options for the management interface, perform the following steps.
Note Configuring the global address automatically configures the link-local address, so you do not need to configure it separately.
Restrictions
The ASA does not support IPv6 anycast addresses.
Detailed Steps
Step 1 Choose the Configuration > Device Setup > Interfaces pane.
Step 2 Choose a management interface, and click Edit .
The Edit Interface dialog box appears with the General tab selected.
Step 3 Click the IPv6 tab.
Step 4 (Optional) To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, check the Enforce EUI-64 check box.
See the “Modified EUI-64 Interface IDs” section for more information.
Step 5 To configure the global IPv6 address:
a. In the Interface IPv6 Addresses area, click Add .
The Add IPv6 Address for Interface dialog box appears.
b. In the Address/Prefix Length field, enter the global IPv6 address and the IPv6 prefix length. For example, 2001:0DB8::BA98:0:3210/48. See the “IPv6 Addresses” section for more information about IPv6 addressing.
c. Click OK .
Step 6 (Optional) In the top area, customize the IPv6 configuration by configuring the following options:
- DAD Attempts—This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. Valid values are from 0 to 600. A zero value disables DAD processing on the specified interface. The default is one message.
- NS Interval—Enter the neighbor solicitation message interval. The neighbor solicitation message requests the link-layer address of a target node. Valid values are from 1000 to 3600000 milliseconds. The default is 1000 milliseconds.
- Reachable Time—Enter the amount of time in seconds that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred. Valid values are from 0 to 3600000 milliseconds. The default is zero. A configured time enables the detection of unavailable neighbors. Shorter times enable detection more quickly; however, very short configured times are not recommended in normal IPv6 operation.
Step 7 Click OK .
You return to the Configuration > Device Setup > Interfaces pane.
Configuring the MAC Address, MTU, and TCP MSS
This section describes how to configure MAC addresses for interfaces, how to set the MTU, and set the TCP MSS.
Information About MAC Addresses
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.
A redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to the redundant interface using this command, then it is used regardless of the member interface MAC addresses.
For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links. The port-channel interface uses the lowest numbered channel group interface MAC address as the port-channel MAC address. Alternatively you can manually configure a MAC address for the port-channel interface. In multiple context mode, you can automatically assign unique MAC addresses to interfaces, including an EtherChannel port interface. We recommend manually, or in multiple context mode, automatically configuring a unique MAC address in case the group channel interface membership changes. If you remove the interface that was providing the port-channel MAC address, then the port-channel MAC address changes to the next lowest numbered interface, thus causing traffic disruption.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the ASA easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the “How the ASA Classifies Packets” section for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the “Automatically Assigning MAC Addresses to Context Interfaces” section to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this procedure to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
Detailed Steps
Step 1 Choose the Configuration > Device Setup > Interfaces pane.
BVIs appear in the table alongside physical interfaces, subinterfaces, redundant interfaces, and EtherChannel port-channel interfaces. In multiple context mode, only interfaces that were assigned to the context in the System execution space appear in the table.
Step 2 Choose the row for a physical interface, subinterface, redundant interface, or EtherChannel port-interface, and click Edit .
The Edit Interface dialog box appears with the General tab selected.
Step 3 Click the Advanced tab.
Step 4 To set the MTU or to enable jumbo frame support (supported models), enter the value in the MTU field, between 300 and 65,535 bytes.
The default is 1500 bytes.
Note When you set the MTU for a redundant or port-channel interface, the ASA applies the setting to all member interfaces.
- For models that support jumbo frames in single mode—If you enter a value for any interface that is greater than 1500, then you enable jumbo frame support automatically for all interfaces. If you set the MTU for all interfaces back to a value under 1500, then jumbo frame support is disabled.
- For models that support jumbo frames in multiple mode—If you enter a value for any interface that is greater than 1500, then be sure to enable jumbo frame support in the system configuration. See the “Enabling Jumbo Frame Support (Supported Models)” section.
Note Enabling or disabling jumbo frame support requires you to reboot the ASA.
A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. Jumbo frames require extra memory to process, and assigning more memory for jumbo frames might limit the maximum use of other features, such as ACLs.
Step 5 To manually assign a MAC address to this interface, enter a MAC address in the Active Mac Address field in H.H.H format, where H is a 16-bit hexadecimal digit.
For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. The first two bytes of a manual MAC address cannot be A2 if you also want to use auto-generated MAC addresses.
Step 6 If you use failover, enter the standby MAC address in the Standby Mac Address field. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.
Step 7 To set the TCP MSS, choose Configuration > Firewall > Advanced > TCP Options . Set the following options:
- Force Maximum Segment Size for TCP—Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting the bytes to 0.
- Force Minimum Segment Size for TCP — Overrides the maximum segment size to be no less than the number of bytes you set, between 48 and any maximum number. This feature is disabled by default (set to 0).
Allowing Same Security Level Communication
By default, interfaces on the same security level cannot communicate with each other, and packets cannot enter and exit the same interface. This section describes how to enable inter-interface communication when interfaces are on the same security level.
Information About Inter-Interface Communication
Allowing interfaces on the same security level to communicate with each other is useful if you want traffic to flow freely between all same security interfaces without ACLs.
If you enable same security interface communication, you can still configure interfaces at different security levels as usual.
Detailed Steps
To enable interfaces on the same security level to communicate with each other, from the Configuration > Interfaces pane, check Enable traffic between two or more interfaces which are configured with same security level .