Cisco ASA Interface Configuration

December 14, 2009 in Article, Vendor Specific, firewall | No comments

The Cisco ASA Firewall provides us with flexible and scalable choices for connecting our appliance into the network.  This post will provide elements of the ASA configuration specific to the interfaces for an ASA operating in Routed / Single Mode with no failover commands.

Cisco ASA5520

Cisco ASA5520

The number and speed of the interfaces installed in your ASA is dependent on the model and license.  They are as follows:

ASA5505
8 x 10/100 switchports (two of which provide PoE).
ASA5510
Base License – 5x 10/100 Ports
Security Plus License – 2x 10/100/100 & 3x 10/100 Ports
ASA5520 & ASA5540
4x 10/100/1000 & 1x 10/100 Ports
ASA5550
8x 10/100/1000, 4x SFP & 1x 10/100
ASA5580
The ASA5580 interfaces are dependant on the modules purchased for it.
www.syn-ack.co.uk
Additional Interfaces
The 5510, 5520 & 5540 support the 4GE SSM which hosts four additional copper or SFP interfaces
For basic interface connectivity we must enter interface configuration mode:
ASA (config)# interface gi0/1
*we are now working under interface configuration mode and can configure our IP Address, Nameif, Security Level, Speed & Duplex.
www.syn-ack.co.uk
ASA (config-if)# ip address 10.0.0.1 255.255.255.0
ASA (config-if)# nameif SERVER_DMZ
ASA (config-if)# security-level 50
ASA (config-if)# speed 1000
ASA (config-if)# duplex full
ASA (config-if)# no shut (physical ports shutdown by default)
www.syn-ack.co.uk
 
IP Addressing
The IP Address can be assigned statically (as above) or it can be assigned dynamically via DHCP:
ASA (config-if)# ip address dhcp
If you wanted the default route for the ASA to be provided by the DHCP server you would configure:
ASA (config-if)# ip address dhcp setroute
www.syn-ack.co.uk
 
Nameif Command
The nameif command allocates the ASA a friendly name that is thereafter used in the configuration instead of the interface type and ID such as Gi0/1.  Be careful when renaming an interface making sure to overwrite it by simply typing “nameif new-name” and allowing the ASA to correct all related configuration elements.  If you do “no nameif” followed by ”nameif new-name” you may find a lot of your configuration relating to the old interface name has disappeared!  *Your ASA will not pass traffic on an interface until the nameif command has been configured.
www.syn-ack.co.uk
Security Levels
Security Levels allow us to define how trusted an interface is.  The higher the number, the more trusted an interface is classed.  If no access lists are applied to an interface the ASA will permit traffic travelling from an interface with a higher security level to a lower security level.  i.e. If the INSIDE is set to 100 and the OUTSIDE set to 0 then users connected to the inside interface could access hosts on the outside.  Users on the outside however would not be able to access resources on the inside interface.  The ASA would allow return traffic to hosts on the inside by tracking connections in the state table.  Usually, the INSIDE interface has a security level of 100 and the OUTSIDE a security level of 0.
www.syn-ack.co.uk
If two interfaces have the same security level configured and you want traffic to flow between them or you want traffic to exit the same interface it entered, you must enter the following commands under global configuration:
www.syn-ack.co.uk
same-security-traffic permit inter-interface (for traffic traversing physical interfaces).
same-security-traffic permit intra-interface (for traffic traversing logical interfaces on the same physical interface).
www.syn-ack.co.uk
The “intra-interface” switch is also used when routing on a stick.   ie, VPN traffic that terminates on the outside interface but then goes back out that interface to get to the internet would need the “same-security-traffic permit intra-interface” command.
www.syn-ack.co.uk
Speed & Duplex
The speed and duplex settings are alywas configured on the physical interface even when sub-interfaces are defined.  The interfaces on an ASA are set by default to auto-negotiate speed and duplex settings.  In this mode the interface will also be capable of auto-MDI/MDIX eliminating the need for a crossover cable.    As long as either the speed or duplex is set to auto-negotiate then the interface will be capable of Auto-MDI/MDIX.  Gigabit Ethernet will always auto-negotiate when set to auto or 1000/full.
www.syn-ack.co.uk
ICMP Control Lists for ASA
ICMP for traffic that terminates on the ASA interfaces can be turned on and off using the ICMP command, ICMP permit any echo OUTSIDE (for example)

The ASA interface will respond to ICMP requests by default but once you begin using the ICMP control list you have to make sure all required traffic is permitted explicitly.  It is recommended that if you are restricting ICMP traffic with a control list that you enable the ICMP unreachable message type (type 3) so as not to interfere with MTU path discovery as this may cause problems with IPsec and PPtP traffic.

  • Redundant Interfaces
Redundant interfaces can be used to group physical interfaces into one logical interface for resiliency.  Redundant interfaces operate in active/standby mode.  To enable this feature both interfaces must be of the same physical specification.  The MAC address listed first in the config is the one used for the logical redundant interface.  When the ASA fails over to the standby interface the same MAC address is used.  It is however possible to define a MAC address statically.
interface redundant 1
(config-if) member-interface gi 0/1
(config-if) member-interface gi 0/2
www.syn-ack.co.uk
You just manually define the redundant interface for failover (similar to VLAN sub-interfaces).
monitor-interface redundant 1
www.syn-ack.co.uk
  • VLAN Sub-interfaces
VLAN sub-interfaces allows us to divide a physical interface into multiple logical interfaces tp provide us with more interfaces on the firewall.  The physical link automatically becomes a trunk when VLAN interfaces are used and the switchport that the firewall interface connects to must be configured as an 802.1q trunk and allow all vlans or specifically allow all VLAN’s used by sub-interfaces on that physical interface.
www.syn-ack.co.uk
To prevent the physical interface passing untagged traffic ensure that “no nameif” is configured on the physical interface.  A VLAN ID must be assigned to sub-interfaces and until it is the interface will not pass traffic.  Spanning-tree portfast may be used on the switchport to allow the switchport to move to the forwarding state quicker.  The Speed and Duplex settings are configured on the physical link.
www.syn-ack.co.uk
The different ASA models support varying levels of VLANs
www.syn-ack.co.uk
ASA5505
Base License – 3 VLANs (trunking is disabled)
Security Plus License – 20 VLANs (trunking enabled)
ASA5510
Base License – 50 VLANs
Security Plus License – 100 VLANs
ASA5520
150 VLANs
ASA5540
200 VLANs
ASA5550
250 VLANs
ASA5580
250 VLANs
www.syn-ack.co.uk
To configure a VLAN sub-interface do the following:
(config)#interface gi 0/1.100
(config-subif)#vlan 100 *I prefer to make the sub-interface number the same as the vlan-id for simplicity.
-carry out interface configuration the sub interface such as nameif, ip address, security level, no shut, description.
*remember to perform a “no shut” on the physical interface and leave it blank with no nameif configured to prevent it passing traffic.
www.syn-ack.co.uk
VLAN Sub-interfaces can also be configured on redundant interfaces in a similar manner:
(config)#interface redundant 1.100
www.syn-ack.co.uk
www.syn-ack.co.uk

Tags: , , , ,