The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes tasks to complete the interface configuration for all models in transparent firewall mode.
This chapter includes the following sections:
Note For multiple context mode, complete the tasks in this section in the context execution space. Enter the changeto context name command to change to the context you want to configure.
This section includes the following topics:
If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. At least one bridge group is required per context or in single mode.
Each bridge group requires a management IP address. For another method of management, see Management Interface.
Note The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See Allowing Same Security Level Communication for more information.
The level controls the following behavior:
If you enable communication for same security interfaces (see Allowing Same Security Level Communication), there is an implicit permit for interfaces to access other interfaces on the same security level or lower.
– NetBIOS inspection engine—Applied only for outbound connections.
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the ASA.
If you enable communication for same security interfaces, you can filter traffic in either direction.
If you enable communication for same security interfaces, you can configure established commands for both directions.
|
|
---|---|
VLANs1: Interfaces of all types2: |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Base and Security Plus License: 1024 Interface Speed for SSP-10 and SSP-20: Base License—1-Gigabit Ethernet for fiber interfaces 10 GE I/O License (Security Plus)—10-Gigabit Ethernet for fiber interfaces (SSP-40 and SSP-60 support 10-Gigabit Ethernet by default.) Interfaces of all types 2 : |
|
|
---|---|
This section includes the guidelines and limitations for this feature.
The ASA 5505 and ASAv do not support multiple context mode.
Note Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire bridge group. The ASA uses this IP address as the source address for packets originating on the ASA, such as system messages or AAA communications. In addition to the bridge group management address, you can optionally configure a management interface for some models; see Management Interface for more information.
The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255). The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported. See Configuring Bridge Groups for more information about management IP subnets.
Do not finish configuring failover interfaces with the procedures in this chapter. See “Failover,” to configure the failover and state links. In multiple context mode, failover interfaces are configured in the system configuration.
VLAN ID Guidelines for the ASASM
You can add any VLAN ID to the configuration, but only VLANs that are assigned to the ASA by the switch can pass traffic. To view all VLANs assigned to the ASA, use the show vlan command.
If you add an interface for a VLAN that is not yet assigned to the ASA by the switch, the interface will be in the down state. When you assign the VLAN to the ASA, the interface changes to an up state. See the show interface command for more information about interface states.
This section lists default settings for interfaces if you do not have a factory default configuration. For information about the factory default configurations, see Factory Default Configurations.
The default security level is 0. If you name an interface “inside” and you do not set the security level explicitly, then the ASA sets the security level to 100.
Note If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Default State of Interfaces for the ASASM
By default, the ASASM supports jumbo frames. Just configure the MTU for the desired packet size according to the Configuring the MAC Address, MTU, and TCP MSS.
This section includes the following topics:
Step 1 Set up your interfaces depending on your model:
Step 2 (Multiple context mode) Allocate interfaces to the context according to the Configuring Multiple Contexts.
Step 3 (Multiple context mode) Enter the changeto context name command to change to the context you want to configure.
Step 4 Configure one or more bridge groups, including the IPv4 address. See Configuring Bridge Groups.
Step 5 Configure general interface parameters, including the bridge group it belongs to, the interface name, and security level. See Configuring General Interface Parameters.
Step 6 (Optional; not supported for the ASA 5505) Configure a management interface. See Configuring a Management Interface (ASA 5512-X and Higher and ASAv).
Step 7 (Optional) Configure the MAC address and the MTU. See Configuring the MAC Address, MTU, and TCP MSS.
Step 8 (Optional) Configure IPv6 addressing. See Configuring IPv6 Addressing.
Step 9 (Optional) Allow same security level communication, either by allowing communication between two interfaces or by allowing traffic to enter and exit the same interface. See Allowing Same Security Level Communication.
Each bridge group requires a management IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For IPv4 traffic, the management IP address is required to pass any traffic. For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations.
You can configure up to 8 bridge groups in single mode or per context in multiple mode. Note that you must use at least one bridge group; data interfaces must belong to a bridge group.
Note For a separate management interface (for supported models), a non-configurable bridge group (ID 101) is automatically added to your configuration. This bridge group is not included in the bridge group limit.
The following example sets the management address and standby address of bridge group 1:
Configure general interface parameters. See Configuring General Interface Parameters.
This procedure describes how to set the name, security level, and bridge group for each transparent interface.
To configure a separate management interface, see Configuring a Management Interface (ASA 5512-X and Higher and ASAv).
For the ASA 5512-X and higher and the ASAv, you must configure interface parameters for the following interface types:
For the ASA 5505 and the ASASM, you must configure interface parameters for the following interface types:
– ASA 5512-X and higher—Chapter10, “Basic Interface Configuration (ASA 5512-X and Higher)”
– ASA 5505—Chapter11, “Basic Interface Configuration (ASA 5505)”
– ASASM—Chapter2, “Switch Configuration for the ASA Services Module”
– ASAv—Chapter12, “Basic Interface Configuration (ASAv)”
|
|
|
---|---|---|
For the ASA 5512-X and higher and the ASAv: interface {{ redundant number | port-channel number | physical_interface }[. subinterface ] | mapped_name } ciscoasa(config)# interface { vlan number | mapped_name } |
If you are not already in interface configuration mode, enters interface configuration mode. The redundant number argument is the redundant interface ID, such as redundant 1. The port-channel number argument is the EtherChannel interface ID, such as port-channel 1. See Enabling the Physical Interface and Configuring Ethernet Parameters section for a description of the physical interface ID. Do not use this procedure for Management interfaces; see Configuring a Management Interface (ASA 5512-X and Higher and ASAv) to configure the Management interface. Append the subinterface ID to the physical or redundant interface ID separated by a period (.). In multiple context mode, enter the mapped_name if one was assigned using the allocate-interface command. |
|
|
Assigns the interface to a bridge group, where number is an integer between 1 and 100. You can assign up to four interfaces to a bridge group. You cannot assign the same interface to more than one bridge group. |
|
|
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted. |
|
|
Sets the security level, where number is an integer between 0 (lowest) and 100 (highest). |
You can configure one management interface separate from the bridge group interfaces in single mode or per context. For more information, see Management Interface.
|
|
|
---|---|---|
interface {{ port-channel number | management slot / port }[. subinterface ] | mapped_name } |
If you are not already in interface configuration mode, enters interface configuration mode for the management interface. The port-channel number argument is the EtherChannel interface ID, such as port-channel 1. The EtherChannel interface must have only Management member interfaces. Redundant interfaces do not support Management slot / port interfaces as members. You also cannot set a redundant interface comprised of non-Management interfaces as management-only. In multiple context mode, enter the mapped_name if one was assigned using the allocate-interface command. |
|
|
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted. |
|
ip address ip_address [ mask ] [ standby ip_address ] ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 |
Note For use with failover, you must set the IP address and standby address manually; DHCP is not supported. The ip_address and mask arguments set the interface IP address and subnet mask. The standby ip_address argument is used for failover. see Configuring Active/Standby Failover or the Configuring Active/Active Failover for more information. |
|
|
Obtains an IP address from a DHCP server. The setroute keyword lets the ASA use the default route supplied by the DHCP server. Reenter this command to reset the DHCP lease and request a new lease. If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent. |
|
|
Sets the security level, where number is an integer between 0 (lowest) and 100 (highest). |
This section describes how to configure MAC addresses for interfaces, how to set the MTU, and set the TCP MSS.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.
For the ASASM, all VLANs use the same MAC address provided by the backplane.
A redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to the redundant interface using this command, then it is used regardless of the member interface MAC addresses.
For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links. The port-channel interface uses the lowest numbered channel group interface MAC address as the port-channel MAC address. Alternatively you can manually configure a MAC address for the port-channel interface. In multiple context mode, you can automatically assign unique MAC addresses to interfaces, including an EtherChannel port interface. We recommend manually, or in multiple context mode, automatically configuring a unique MAC address in case the group channel interface membership changes. If you remove the interface that was providing the port-channel MAC address, then the port-channel MAC address changes to the next lowest numbered interface, thus causing traffic disruption.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the ASA easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. see How the ASA Classifies Packets for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. see Automatically Assigning MAC Addresses to Context Interfaces to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this procedure to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
See Controlling Fragmentation with the Maximum Transmission Unit and TCP Maximum Segment Size.
– ASA 5512-X and higher—Chapter10, “Basic Interface Configuration (ASA 5512-X and Higher)”
– ASA 5505—Chapter11, “Basic Interface Configuration (ASA 5505)”
– ASASM—Chapter2, “Switch Configuration for the ASA Services Module”
– ASAv—Chapter12, “Basic Interface Configuration (ASAv)”
|
|
|
---|---|---|
For the ASA 5512-X and higher and the ASAv: interface {{ redundant number | port-channel number | physical_interface }[. subinterface ] | mapped_name } ciscoasa(config)# interface { vlan number | mapped_name } |
If you are not already in interface configuration mode, enters interface configuration mode. The redundant number argument is the redundant interface ID, such as redundant 1. The port-channel number argument is the EtherChannel interface ID, such as port-channel 1. see Enabling the Physical Interface and Configuring Ethernet Parameters section for a description of the physical interface ID. Append the subinterface ID to the physical or redundant interface ID separated by a period (.). In multiple context mode, enter the mapped_name if one was assigned using the allocate-interface command. |
|
mac-address m ac_address [ standby mac_address ] |
Assigns a private MAC address to this interface. The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE is entered as 000C.F142.4CDE. The first two bytes of a manual MAC address cannot be A2 if you also want to use auto-generated MAC addresses. For use with failover, set the standby MAC address. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. |
|
|
Sets the MTU between 300 and 9198 bytes (9000 for the ASAv). The default is 1500 bytes. Note When you set the MTU for a redundant or port-channel interface, the ASA applies the setting to all member interfaces. For models that support jumbo frames, if you enter a value for any interface that is greater than 1500, then you need to enable jumbo frame support. See Enabling Jumbo Frame Support. |
|
sysopt connection tcpmss [ minimum ] bytes |
Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting bytes to 0. For the minimum keyword, sets the maximum segment size to be no less than bytes, between 48 and 65535. The minimum feature is disabled by default (set to 0). |
(Optional) Configure IPv6 addressing. see Configuring IPv6 Addressing.
This section includes information about how to configure IPv6, and includes the following topics:
You can configure two types of unicast addresses for IPv6:
At a minimum, you need to configure a link-local address for IPv6 to operate. If you configure a global address, a link-local addresses is automatically configured on each interface, so you do not also need to specifically configure a link-local address. If you do not configure a global address, then you need to configure the link-local address, either automatically or manually.
Note If you want to only configure the link-local addresses, see the ipv6 enable (to auto-configure) or ipv6 address link-local (to manually configure) command in the command reference.
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits long and be constructed in Modified EUI-64 format. The ASA can enforce this requirement for hosts attached to the local link.
When this feature is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated:
The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address.
The following IPv6 commands are not supported in transparent firewall mode, because they require router capabilities:
To configure a global IPv6 address for a bridge group or management interface, perform the following steps.
Note Configuring the global address automatically configures the link-local address, so you do not need to configure it separately.
– ASA 5512-X and higher—Chapter10, “Basic Interface Configuration (ASA 5512-X and Higher)”
– ASA 5505—Chapter11, “Basic Interface Configuration (ASA 5505)”
– ASASM—Chapter2, “Switch Configuration for the ASA Services Module”
– ASAv—Chapter12, “Basic Interface Configuration (ASAv)”
|
|
|
---|---|---|
interface management_interface_id |
If you are not already in interface configuration mode, enters interface configuration mode. |
|
ipv6 address ipv6-address/prefix-length [ standby ipv6-address ] |
Assigns a global address to the interface. When you assign a global address, the link-local address is automatically created for the interface (for a bridge group, for each member interface). standby specifies the interface address used by the secondary unit or failover group in a failover pair. Note The eui-64 keyword to use the Modified EUI-64 interface ID for the interface ID is not supported in transparent mode. |
|
|
Enforces the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link. The if_name argument is the name of the interface, as specified by the nameif command, on which you are enabling the address format enforcement. See Modified EUI-64 Interface IDs for more information. |
See “IPv6 Neighbor Discovery,” to configure IPv6 neighbor discovery.
By default, interfaces on the same security level cannot communicate with each other, and packets cannot enter and exit the same interface. This section describes how to enable inter-interface communication when interfaces are on the same security level.
Allowing interfaces on the same security level to communicate with each other is useful if you want traffic to flow freely between all same security interfaces without ACLs.
If you enable same security interface communication, you can still configure interfaces at different security levels as usual.
|
|
---|---|
Enables interfaces on the same security level so that they can communicate with each other. |
This section describes how to turn off and on an interface.
All interfaces are enabled by default. In multiple context mode, if you disable or reenable the interface within a context, only that context interface is affected. But if you disable or reenable the interface in the system execution space, then you affect that interface for all contexts.
To monitor interfaces, enter one of the following commands:
|
|
---|---|
|
|
|
The following example includes two bridge groups of three interfaces each, plus a management-only interface:
Table 14-1 lists each feature change and the platform release in which it was implemented.