PIX/ASA/FWSM Platform User Interface Reference · Chapter 50 PIX/ASA/FWSM Platform User Interface...

OL-23439-01

C H A P T E R 50
PIX/ASA/FWSM Platform User Interface Reference
The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs).

These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration.

Interfaces

• Interfaces Page: PIX and ASA, page 50-2

• Interfaces Page: FWSM, page 50-20

• ASA 5505 Ports and Interfaces Page, page 50-25

Platform

• Bridging, page 50-29

– ARP Table Page, page 50-30

– ARP Inspection Page, page 50-31

– MAC Address Table Page, page 50-33

– MAC Learning Page, page 50-34

– Management IP Page, page 50-36

• Device Admin

– AAA Page, page 50-36

– Authentication Tab, page 50-37

– Authorization Tab, page 50-38

– Accounting Tab, page 50-38

– Banner Page, page 50-40

– Boot Image/Configuration Page, page 50-41

– Clock Page, page 50-42

– Credentials Page, page 50-44

– CPU Threshold Page, page 50-44

50-1User Guide for Cisco Security Manager 4.0.1

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: PIX and ASA

Interfaces Page: PIX and ASAThe Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them.

Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.

If you bootstrapped a new security device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.

The Interfaces page settings vary based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring.

Navigation Path

To access the Interfaces page, select a security device in Device View and then select Interfaces from the Device Policy selector.

Related Topics

• Configuring Firewall Device Interfaces, page 39-2

• Using the Add/Edit Interface Dialog Box, page 39-7

Field Reference

Table 50-1 Interfaces Page

Element Description

Interfaces Table

Interface Type The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are:

• Ethernet

• GigabitEthernet

• TenGigabitEthernet (ASA 5580 only)

• Redundant

Name The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address The IP address of the interface, or in transparent mode, the word “native.” Transparent mode interfaces do not use IP addresses.

IP Address Type The method by which the IP address is provided. Valid options are:

• static – The IP address is manually defined.

• dhcp – The IP address is obtained via a DHCP lease.

• pppoe – The IP address is obtained using PPPoE.


OL-23439-01


Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

• All-Interfaces – The interface is a member of the default role assigned to all interfaces.

• Internal – This interface is a member of the default role associated with all inside interfaces.

• External – This interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-55.

Hardware Port Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.

For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated.

Enabled Indicates if the interface is enabled: true or false.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

VLAN ID For a subinterface, this is the VLAN ID, an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration.

If this value is not specified, the column displays native.

Security Level The interface security level; a value between 0 and 100.

Management Only Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false.

MTU The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is 1500.

Member Indicates whether this interface is a member of a redundant interface pair: true or false.

Table 50-1 Interfaces Page (Continued)

Element Description


OL-23439-01


Add/Edit Interface Dialog BoxUse the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 39-4 for more information about redundant interfaces.

You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.

In multiple-context mode, you can only add interfaces in the system configuration. See the Chapter 49, “Configuring Security Contexts on Firewall Devices” page for information about assigning interfaces to contexts.

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information:

• Add/Edit Interface Dialog Box (PIX/ASA), page 50-5

• Add/Edit Interface Dialog Box (ASA 5505), page 50-10

• Add/Edit Interface Dialog Box (PIX 6.3), page 50-14

Navigation Path

You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page: PIX and ASA, page 50-2.

Related Topics




• Advanced Interface Settings Dialog Box, page 50-17

• Add VPND Group Dialog Box, page 50-18

• PPPoE Users Dialog Box, page 50-19

Description A description of the interface. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description.

ASR Group If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Table 50-1 Interfaces Page (Continued)

Element Description


OL-23439-01


Add/Edit Interface Dialog Box (PIX/ASA)

The Add/Edit Interface dialog box is used to define and configure interfaces.

Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA)

Element Description

Enable Interface Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

Management Only Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a Primary or Secondary ISP interface to be management only.

Redundant Interface Select this option to define a “redundant interface.” When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear.

• Redundant ID – Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8.

• Primary Interface – Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.

• Secondary Interface – Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.

Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces.

See About Redundant Interfaces, page 39-4 for more information.

Type Type of interface. Valid values are:

• Interface – Settings represent a physical interface.

• Subinterface – Settings represent a logical interface attached to the same network as its underlying physical interface.

Note This option is not available when Redundant Interface is selected.


OL-23439-01


Name Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. Supported interface names include:

• Inside – Connects to your internal network. Must be the most secure interface.

• DMZ – “Demilitarized zone” attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with “DMZ” to identify the interface type.

• Outside – Connects to an external network or the Internet. Must be the least secure interface.

Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface.

Hardware Port For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface.

Valid values are:

• Ethernet0 to Ethernetn

• GigabitEthernet0 to GigabitEthernetn

• GigabitEthernets/n

• TenGigabitEthernets/n (ASA 5580 only)

where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device.

For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled.

Note This option is not visible when Redundant Interface is selected.

Subinterface ID Sets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform.

Note You cannot change the ID after you set it.

Media Type When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface:

• RJ45 – Port uses RJ-45 connectors.

• SFP – Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards.

Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued)

Element Description


OL-23439-01


IP Type Specifies the addressing for the interface; choose one of the following methods and provide related parameters:

• Static IP – Provide a static IP Address and Subnet Mask that represents the security device on this interface’s connected network. The IP address must be unique for each interface.

The Subnet mask can be expressed in dotted decimal format (for example, 255.255.255.0), or by entering the number of bits in the network mask (for example, 24). Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface. If you omit the Subnet Mask value, a “classful” network is assumed.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

• Use DHCP – Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available:

– DHCP Learned Route Metric (required) – Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1.

All routes have a value or “metric” that represents its priority of use. (This metric is also referred to as “administrative distance.”) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use.

– Obtain Default Route using DHCP – Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page 46-34.

– Enable Tracking for DHCP Learned Route – If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following option becomes available:

– Tracked SLA Monitor – Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.


Element Description


OL-23439-01


IP Type (cont.) • PPPoE (PIX and ASA 7.2+) – Enables Point-to-Point Protocol over Ethernet (PPPoE) for automatic assignment of an IP address from a PPPoE server on the connected network; this option is not supported with failover. The following options become available:

– VPDN Group Name (required) – Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 39-16 for more information.

– IP Address – If provided, this static IP address is used for connection and authentication, instead of a negotiated address.

– Subnet Mask – The subnet mask to be used in conjunction with the provided IP Address.

– PPPoE Learned Route Metric (required) – Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1.

All routes have a value or “metric” that represents its priority of use. (This metric is also referred to as “administrative distance.”) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use.

– Obtain Default Route using PPPoE – Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration.

– Enable Tracking for PPPoE Learned Route – If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available:

– Dual ISP Interface – If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring.

– Tracked SLA Monitor – Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.

Note You can configure DHCP and PPPoE only on the outside interface of a security appliance.



Element Description


OL-23439-01


VLAN ID Sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches; see the switch documentation for more information. In multiple-context mode, you can only set the VLAN in the system configuration.

Duplex Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.

For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full.


Speed Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type.

• 10

• 100

• 1000

• 10000 (set automatically for a TenGigabitEthernet interface; available only on ASA 5580)

• non-negotiable


MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300 – 65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.

Description Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

• Outside interface is always 0.

• Inside interface is always 100.

• DMZ interfaces are between 1-99.


Element Description


OL-23439-01


Add/Edit Interface Dialog Box (ASA 5505)

The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page, page 50-25.

Active MAC Address Use this field to manually assign a private MAC address to the interface.

MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses.

Standby MAC Address You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

Roles Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

• All-Interfaces – Indicates the interface is a member of the default role assigned to all interfaces.

• Internal – Indicates this interface is a member of the default role associated with all inside interfaces.

• External – Indicates this interface is a member of the default role associated with all outside interfaces.



Element Description

Table 50-3 Add/Edit Interface Dialog Box (ASA 5505)

Element Description

Enable Interface Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

Management Only Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only.


OL-23439-01


Name Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications.

Supported interface names are:

• Inside—Connects to your internal network. Must be most secure interface.

• DMZ—“Demilitarized zone” attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type.

• Outside—Connects to an external network or the Internet. Must be least secure interface.

IP Type Specifies the address type for the interface; choose one of the following methods and provide related parameters:

• Static IP – Provide a static IP Address and Subnet Mask that represents the security device on this interface’s connected network. If you omit the Subnet Mask value, a “classful” network is assumed.

• Use DHCP – Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available:

– DHCP Learned Route Metric (required) – Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.

– Obtain Default Route using DHCP – Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page 46-34.

– Enable Tracking for DHCP Learned Route – If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available:

– Tracked SLA Monitor – Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.)

• PPPoE (PIX and ASA 7.2+) – Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover.

– VPDN Group Name (required) – Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 39-16 for more information.

Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued)

Element Description


OL-23439-01


IP Type (cont.) – IP Address – If provided, this static IP address is used for connection and authentication, instead of a negotiated address.

– Subnet Mask – The subnet mask to be used in conjunction with the provided IP Address.

– PPPoE Learned Route Metric (required) – Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.

– Obtain Default Route using PPPoE – Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration.

– Enable Tracking for PPPoE Learned Route – If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available:

– Dual ISP Interface – If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring.

– Tracked SLA Monitor – Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.)

Note You can configure DHCP and PPPoE only on the outside interface of a security appliance.


MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.

VLAN ID Sets the VLAN ID, between 1 and 4090. For multiple-context mode, you can only set the VLAN ID in the system configuration.


Element Description


OL-23439-01






Block Traffic To Restricts this VLAN interface from initiating contact with the VLAN chosen here.

Backup Interface Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails.

Active MAC Address Use this field to manually assign a MAC address to the interface.

MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

Standby MAC Address If you assign an Active MAC Address, you also can assign a Standby MAC Address.

Description Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.



• All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

• Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

• External—Indicates this interface is a member of the default role associated with all outside interfaces.



Element Description


OL-23439-01


Add/Edit Interface Dialog Box (PIX 6.3)

Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3)

Element Description

Enable Interface Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy.

You must enable a physical interface before any traffic can pass through any enabled subinterfaces.

Type Type of VLAN interface. Valid values are:

• Logical—VLAN is associated with a logical interface.

• Physical—VLAN is on the same network as its underlying hardware interface.

Name Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:


• DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network.


Hardware Port When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device.

When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled.

Valid values are:

• ethernet0 to ethernetn.

• gb-ethernetn.

where n represents the number of network interfaces in the device.

IP Type Specifies the address type for the interface.

• Static IP—Assigns a static IP address and mask to the interface.

• Use DHCP—Assigns a dynamic IP address and mask to the interface.

• Use PPPoE—Provides an authenticated method of assigning an IP address to the interface.

Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.


OL-23439-01


IP Address Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type.

• IP address must be unique for each interface.

• The IP address is blank for interfaces that use dynamic addressing.


For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list.

Subnet Mask Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface.

Obtain Default Route using DHCP

Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Configuring Static Routes, page 46-34.

Retry Count Identifies the number of tries before an error is returned. Valid values are 4 through 16.

Obtain default route using PPPoE

Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway.

Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) (Continued)

Element Description


OL-23439-01


Speed and Duplex Lists the speed options for a physical interface; not applicable to logical interfaces.

• auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card.

• 10baset—10-Mbps Ethernet half-duplex.

• 10full—10-Mbps Ethernet full-duplex.

• 100basetx—100-Mbps Ethernet half-duplex.

• 100full—100-Mbps Ethernet full-duplex.

• 1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex.

Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.

• 1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex.

• 1000full nonnegotiate—1000-Mbps Ethernet full-duplex.

• aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface.

• bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface.

Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.

MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.

Physical VLAN ID For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices.

Logical VLAN ID Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected.


Element Description


OL-23439-01


Advanced Interface Settings Dialog Box

Navigation Path

You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page: PIX and ASA, page 50-2 or ASA 5505 Ports and Interfaces Page, page 50-25.

Related Topics





• Add/Edit Interface Dialog Box, page 50-4

• FWSM Add/Edit Interface Dialog Box, page 50-22






• DMZ interfaces are between 1 and 99.








Element Description


OL-23439-01


Field Reference

Add VPND Group Dialog Box

Navigation Path

You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page 50-17.

Related Topics









Table 50-5 Advanced Interface Settings Dialog Box

Element Description

Traffic between interfaces with same security levels

Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

• Disabled—Does not allow communication between interfaces on the same security level.

• Inter-interface—Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device.

• Intra-interface—Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface.

• Both—Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level.

PPPoE Users button Click to access the PPPoE Users dialog box.

VPDN Groups (PIX and ASA 7.2+)

Group Name Displays the group name.

PPPoE Username Displays the PPPoE username.

PPP Authentication Indicates the PPP Authentication method for this VPDN group:

• PAP

• CHAP

• MSCHAP


OL-23439-01


Field Reference

PPPoE Users Dialog Box

Navigation Path

You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page 50-17. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box, page 50-18.

Related Topics









• Add and Edit PPPoE User Dialog Boxes, page 50-20

Field Reference

Table 50-6 Add VPND Group Dialog Box

Element Description

Group Name Enter the group name.

PPPoE Username Select the PPPoE username.

PPP Authentication Select the PPP Authentication method:

• PAP

• CHAP

• MSCHAP

Table 50-7 PPPoE Users Dialog Box

Element Description

PPPoE Users (PIX and ASA 7.2+)

Username Displays the PPPoE username.

Store in Local Flash Indicates whether this PPPoE user account is to be stored in local flash (True or False).


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceInterfaces Page: FWSM

Add and Edit PPPoE User Dialog Boxes

Navigation Path

You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box, page 50-19.

Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both.

Related Topics










Field Reference

Interfaces Page: FWSMThe FWSM Interfaces page displays the virtual interfaces (VLANs) configured on the selected Firewall Services Module. You can add or delete logical VLAN interfaces, and also enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive packets, but the configuration information is retained.

Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic.

If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.

Table 50-8 Add and Edit PPPoE User Dialog Boxes

Element Description

Username Provide a name for the PPPoE user.

Password Enter a password for this user.

Confirm Re-enter the password.

Store Username and Password in Local Flash

Select this option to store the PPPoE user information in flash memory.


OL-23439-01


The Interfaces page settings vary based on the device version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining.

Navigation Path

To access this page, select an FWSM in Device View and then select Interfaces from the Device Policy selector.

Related Topics



• Add/Edit Bridge Group Dialog Box, page 50-24


Field Reference

Table 50-9 FWSM Interfaces Page

Element Description

Interfaces Tab

Name The name assigned to the interface.

IP Address The IP address and subnet mask assigned to the interface.

Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.


• All-Interfaces—The interface is a member of the default role assigned to all interfaces.

• Internal—This interface is a member of the default role associated with all inside interfaces.

• External—This interface is a member of the default role associated with all outside interfaces.


VLAN ID The VLAN to which this logical interface is assigned.

Bridge Group The bridge group to which this interface is assigned (transparent mode only).

Enabled Indicates if the interface is enabled: true or false.

When disabled, the interface does not transmit or receive packets, but its configuration information is retained.

Security Level Displays the interface security level; a value between 0 and 100.

Management Only Indicates if this interface allows traffic to the security appliance for management purposes only.


OL-23439-01


FWSM Add/Edit Interface Dialog BoxUse the Add/Edit Interface dialog box to add or edit a virtual interface. In multiple context mode, you can only add interfaces in the system configuration. See the Chapter 49, “Configuring Security Contexts on Firewall Devices” page to assign interfaces to contexts.

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

The options appearing in the Add/Edit Interface dialog box vary based on the selected device version, and its mode (routed or transparent).

Navigation Path

You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page 50-20.

Description A description of the interface, if provided.

In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description.

ASR Group Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Bridge Groups Tab (transparent mode only)

Bridge Group The name of the bridge group.

ID The identifier assigned to this bridge group.

Interface A The first VLAN assigned to this bridge group.

Interface B The second VLAN assigned to this bridge group.

IP The management IP address assigned to the bridge group. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. The security appliance uses this address as the source address for traffic originating on the appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

A transparent firewall does not participate in IP routing.

Netmask Displays the netmask for the management IP address.

Description The description of this bridge group, if one was provided.

Table 50-9 FWSM Interfaces Page (Continued)

Element Description


OL-23439-01


Related Topics



• Add/Edit Bridge Group Dialog Box, page 50-24


Field Reference

Table 50-10 FWSM Add/Edit Interface Dialog Box

Element Description

Enable Interface Enables this logical interface on the device. When disabled, the interface does not transmit or receive packets, but its configuration information is retained.

Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic.

Management Only Sets the interface to accept traffic to the security appliance only, and not through traffic.

Name You can assign an alphanumeric alias of up to 48 characters to the VLAN for ease of identification. However, note that Security Manager does not support named interfaces for FWSMs operating in multiple-context mode.

Special interface names are:


• DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with “DMZ” to identify the interface type.


Note You cannot name more than two interfaces on an FWSM operating in transparent mode.

IP Address The IP address for the interface.

VLAN ID Enter the desired VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration.





Description If desired, you can enter a description of the logical interface.


OL-23439-01


Add/Edit Bridge Group Dialog BoxUse the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode.

A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance.

You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.

Navigation Path

You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page 50-20.

Related Topics

• Interfaces in Routed and Transparent Modes, page 39-4

• Bridging Support for FWSM 3.1, page 39-19








ASR Group To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Table 50-10 FWSM Add/Edit Interface Dialog Box (Continued)

Element Description


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceASA 5505 Ports and Interfaces Page




Field Reference

ASA 5505 Ports and Interfaces PageThe ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:

• Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.

• Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.

Table 50-11 Add/Edit Bridge Group Dialog Box

Element Description

Name Enter a name for this bridge group.

ID Enter the bridge group ID as an integer between 1 and 100.

Interface A Select the first interface that is part of this bridge group.

Interface B Select the second interface that is part of this bridge group.

IP Address Enter the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

Netmask Network mask for IP address of bridge group. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

Description You can enter an optional description for this bridge group.


OL-23439-01


Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.

Navigation Path

To access this feature, select an ASA 5505 in Device View and then select Interfaces from the Device Policy selector.

Related Topics


• Configure Hardware Ports Dialog Box, page 50-28





Field Reference

Table 50-12 ASA 5505 Ports and Interfaces Page

Element Description

Hardware Ports Tab

Hardware Port Identifies the switch port.

Enabled Indicates whether this switch port is enabled or not (Yes or No).

Associated VLANs Shows the VLAN or VLANs that are associated with this port.

Associated Interface Names Shows the interface name of the VLAN(s) that are associated with this port.

Mode Shows the mode for this port:

• Access Port—Port is in access mode.

• Trunk Port—Port is in trunk mode. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.

Protected Identifies whether the port is isolated or not (Yes or No). This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.


OL-23439-01


Interfaces Tab

Name Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address Type Specifies the method by which the IP address is provided. Valid options are:

• static—Identifies that the IP address is manually defined.

• dhcp—Identifies that the IP address is obtained via a DHCP lease.

• pppoe—Identifies that the IP address is obtained using PPPoE.

IP Address Displays the IP address, or in transparent mode, the word “native.” Transparent mode interfaces do not use IP addresses.

Block Traffic To Displays the interface to which traffic is blocked.

Backup Interface Displays the interface that acts as backup for this interface.

Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.






Enabled Indicates if the interface is enabled (Yes or No).

Vlan ID Identifies the VLAN ID for this interface.

Security Level Displays the interface security level between 0 and 100.

Management Only Indicates if the interface allows traffic to the security appliance or for management purposes only.

MTU Displays the MTU. By default, the MTU is 1500.

Description Displays a description of the interface.

Table 50-12 ASA 5505 Ports and Interfaces Page (Continued)

Element Description


OL-23439-01


Configure Hardware Ports Dialog BoxUse the Configure Hardware Ports dialog box to configure the switch ports on an ASA 5505, including setting the mode, assigning a switch port to a VLAN, and setting the Protected option.

Caution The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network. Therefore, you must ensure that any connection with the appliance does not end up in a network loop.

Navigation Path

You can access the Configure Hardware Ports dialog box from the Hardware Ports tab of the ASA 5505 Interfaces page. For more information about this page, see ASA 5505 Ports and Interfaces Page, page 50-25.

Related Topics







Field Reference

Table 50-13 Configure Hardware Ports Dialog Box

Element Description

Enable Interface Select to enable this switch port.

Isolated Select this option to prevent this port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, if you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Isolated option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.

Hardware Port Choose the switch port that you are configuring.

Mode Choose a mode for this port:

• Access Port—Sets the port to access mode. Access ports can be assigned to one VLAN.

• Trunk Port—Sets the port to trunk mode using 802.1Q tagging. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets, there is no native VLAN support, and the appliance drops all packets that do not contain a tag specified in this command.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceBridging

BridgingThis section discusses the following pages:

• ARP Table Page, page 50-30

• ARP Inspection Page, page 50-31

• MAC Address Table Page, page 50-33

• MAC Learning Page, page 50-34

• Management IP Page, page 50-36

VLAN ID Enter the VLAN ID(s) according to the chosen Mode:

• Access Port mode—Enter the VLAN ID to which you want to assign this switch port.

• Trunk Port mode—Enter the VLAN IDs to which you want to assign this switch port, separated by commas.

Duplex Lists the duplex options for the port, including Full, Half, or Auto. The Auto setting is the default.

If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

Speed Choose a speed for the port:

• auto (default)

• 10

• 100

If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Table 50-13 Configure Hardware Ports Dialog Box (Continued)

Element Description


OL-23439-01


ARP Table PageUse the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.

Navigation Path

• (Device view) Select Platform > Bridging > ARP Table from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table from the Policy Type selector. Right-click ARP Table to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit ARP Configuration Dialog Box, page 50-31






Field Reference

Table 50-14 ARP Table Page

Element Description

Timeout (seconds) The amount of time, between 60 and 4294967 seconds, before the security appliance rebuilds the ARP table. The default is 14400 seconds.

Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.

Note The timeout applies to the dynamic ARP table, and not the static entries contained in the ARP table.

ARP Table

Interface The interface to which the host is attached.

IP Address The IP address of the host.

MAC Address The MAC address of the host.

Alias Enabled Indicates whether the security appliance performs proxy ARP for this mapping. If this setting is enabled and the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.

Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.


OL-23439-01


Add/Edit ARP Configuration Dialog Box

Use the Add/Edit ARP Configuration dialog box to add a static ARP entry that maps a MAC address to an IP address and identifies the interface through which the host is reached.

Navigation Path

You can access the Add/Edit ARP Configuration dialog box from the ARP Table page. For more information about the ARP Table page, see ARP Table Page, page 50-30.

Related Topics



Field Reference

ARP Inspection PageUse the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.

Navigation Path

• (Device view) Select Platform > Bridging > ARP Inspection from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Inspection from the Policy Type selector. Right-click ARP Inspection to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit ARP Inspection Dialog Box, page 50-32



Table 50-15 Add/Edit ARP Configuration dialog box

Element Description

Interface The name of the interface to which the host network is attached.

IP Address The IP address of the host.

MAC Address The MAC address of the host; for example, 00e0.1e4e.3d8b.

Enable Alias When selected, enables proxy ARP for this mapping. If the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.

Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.


OL-23439-01





Field Reference

Add/Edit ARP Inspection Dialog Box

Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection for a transparent firewall interface.

Navigation Path

You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection page. For more information about the ARP Inspection page, see ARP Inspection Page, page 50-31.

Related Topics



Table 50-16 ARP Inspection Page

Element Description

ARP Inspection Table

Interface The name of the interface to which the ARP inspection setting applies.

ARP Inspection Enabled Indicates whether ARP inspection is enabled on the specified interface.

Flood Enabled Indicates whether packets that do not match any element of a static ARP entry should be flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.

Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.


OL-23439-01


Field Reference

MAC Address Table PageUse the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.

Navigation Path

• (Device view) Select Platform > Bridging > MAC Address Table from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Address Table from the Policy Type selector. Right-click MAC Address Table to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Add/Edit MAC Table Entry Dialog Box, page 50-34






Table 50-17 Add/Edit ARP Inspection dialog box

Element Description

Interface The name of the interface for which you are enabling or disabling ARP inspection.

Enable ARP Inspection on this interface

When selected, enables ARP inspection on the specified interface.

Flood ARP packets When selected, packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.

Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.


OL-23439-01


Field Reference

Add/Edit MAC Table Entry Dialog Box

Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries to the MAC Address table or to modify entries in the MAC Address table.

Navigation Path

You can access the Add/Edit MAC Table Entry dialog box from the MAC Address Table page. For more information about the MAC Address Table page, see MAC Address Table Page, page 50-33.

Related Topics



Field Reference

MAC Learning PageUse the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.

Navigation Path

• (Device view) Select Platform > Bridging > MAC Learning from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.

Table 50-18 MAC Address Table Page

Element Description

Aging Time (minutes) Sets the number of minutes, between 5 and 720 (12 hours), that a MAC address entry stays in the MAC address table before timing out. 5 minutes is the default.

MAC Address Table

Interface The interface to which the MAC address is associated.

MAC Address The MAC address; for example, 00e0.1e4e.3d8b.

Table 50-19 Add/Edit MAC Table Entry dialog box

Element Description

Interface The interface to which the MAC address is associated.

MAC Address The MAC address; for example, 00e0.1e4e.3d8b.


OL-23439-01


Related Topics

• Add/Edit MAC Learning Dialog Box, page 50-35






Field Reference

Add/Edit MAC Learning Dialog Box

Use the Add/Edit MAC Learning dialog box to enable or disable MAC address learning on an interface.

Navigation Path

You can access the Add/Edit MAC Learning dialog box from the MAC Learning page. For more information about the MAC Learning page, see MAC Learning Page, page 50-34.

Related Topics



Field Reference

Table 50-20 MAC Learning Page

Element Description

MAC Learning Table

Interface The interface to which the MAC learning setting applies.

MAC Learning Enabled Indicates whether the security appliance learns MAC addresses from traffic entering the interface.

Table 50-21 Add/Edit MAC Learning dialog box

Element Description

Interface The interface to which the MAC learning setting applies.

MAC Learning Enabled When selected, the security appliance learns MAC addresses from traffic entering the interface.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceAAA Page

Management IP PageUse the Management IP page to set the management IP address for a security appliance or for a context in transparent firewall mode.

Navigation Path

• (Device view) Select Platform > Bridging > Management IP from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Bridging > Management IP from the Policy Type selector. Right-click Management IP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics






Field Reference

AAA PageThis page includes tabs for configuring authentication, authorization, and accounting:

• Authentication Tab, page 50-37

• Authorization Tab, page 50-38

• Accounting Tab, page 50-38

Navigation Path

• (Device view) Select Platform > Device Admin > AAA from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.

Table 50-22 Management IP Page

Element Description

Management IP Address The management IP address.

Subnet Mask The subnet mask that corresponds to the management IP address.


OL-23439-01


Authentication TabUse the Authentication tab to enable authentication for administrator access to the security appliance. The Authentication tab also allows you to configure the prompts and messages that a user sees when authenticated by a AAA server.

Navigation Path

You can access the Authentication tab from the AAA page. For more information about the AAA page, see AAA Page, page 50-36.

Related Topics

• Configuring AAA, page 39-19



Field Reference

Table 50-23 Authentication Tab

Element Description

Require AAA Authentication to allow use of privileged mode commands

Enable Forces AAA authentication from a server group before you can access enable mode on the firewall. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears.

Server Group Provides a drop-down menu from which you can choose a server group to force AAA authentication.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

Require AAA Authorization for the following types of connections

Connection type Specify the connection types that require authorization:

• HTTP—Require AAA authentication when you start an HTTPS connection to the firewall console.

• Serial—Require AAA authentication when you connect to the firewall console via the serial console cable. The firewall prompts you for your username and password before you can enter commands. If the authentication server is offline, wait until the console login request times out. You can then access the console with the firewall username and the enable password.

• SSH—Require AAA authentication when you start a Secure Shell (SSH) connection to the firewall console. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears. This option requests a username and password before the first command line prompt on the SSH console.

• Telnet—Require AAA authentication when you start a Telnet connection to the firewall console. You must authenticate before you can enter a Telnet command.

Server Group Specify the server group to use for authorization.


OL-23439-01


Authorization TabThe Authorization tab allows you to configure authorization for accessing firewall commands.

Navigation Path

You can access the Authorization tab from the AAA page. For more information about the AAA page, see AAA Page, page 50-36.

Related Topics




Field Reference

Accounting TabUse the Accounting tab to enable accounting for access to the firewall device and for access to commands on the device.

Navigation Path

You can access the Accounting tab from the AAA page. For more information about the AAA page, see AAA Page, page 50-36.



Authentication Prompts

Login Prompt Enter the prompt a user will see when logging in to the security appliance.

User Accepted Message Enter the message a user will see when successfully authenticated by the security appliance.

User Rejected Message Enter the message a user will see when authentication by the security appliance fails.

Table 50-23 Authentication Tab (Continued)

Element Description

Table 50-24 Authorization Tab

Element Description

Enable Authorization for Command Access

Requires authorization for accessing firewall commands.

Server Group Specify the server group to use for authorization.




OL-23439-01


Related Topics




Field Reference

Table 50-25 Accounting Tab

Element Description

Require AAA Accounting for privileged commands

Enable When selected, enables the generation of accounting records to mark the entry to and exit from privileged mode for administrative access via the console.

Server Group Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Require AAA Accounting for the following types of connections

Connection type Specify the connection types that will generate accounting records:

• HTTP—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over HTTP. Valid server group protocols are RADIUS and TACACS+.

• Serial—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions that are established via the serial interface to the console. Valid server group protocols are RADIUS and TACACS+.

• SSH—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over SSH. Valid server group protocols are RADIUS and TACACS+.

• Telnet—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over Telnet. Valid server group protocols are RADIUS and TACACS+.

Server Group Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Require Accounting for command access

Enable When selected, enables the generation of accounting records for commands entered by an administrator/user.

Server Group Provides a drop-down menu from which you can choose the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Privilege Level Minimum privilege level that must be associated with a command for an accounting record to be generated. The default privilege level is 0.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceBanner Page

Banner PageUse the Banner page to configure message of the day, login and session banners.

Navigation Path

• (Device view) Select Platform > Device Admin > Banner from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner from the Policy Type selector. Right-click Banner to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Chapter 43, “Configuring Server Access Settings on Firewall Devices”

Field Reference

Table 50-26 Banner Page

Element Description

Session(exec) Banner Enter text that you want the system to display as a banner before displaying the enable prompt.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

Login Banner Enter text that you want the system to display as a banner before the password login prompt when someone accesses the security appliance using Telnet.


Message-of-the-Day (motd) Banner

Enter text that you want the system to display as a message-of-the-day banner.



OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceBoot Image/Configuration Page

Boot Image/Configuration PageUse the Boot Image/Configuration page to specify which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can also specify the path to the ASDM image file on the security appliance.

Navigation Path

• (Device view) Select Platform > Device Admin > Boot Image/Configuration from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot Image/Configuration from the Policy Type selector. Right-click Boot Image/Configuration to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Boot Image and Configuration Settings, page 39-24

• Images Dialog Box, page 50-42

Field Reference

Table 50-27 Boot Image/Configuration Page

Element Description

Boot Config Location The configuration file to use when the system is loaded. Use the following syntax:

• disk0:/[path/]filename

Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.


Indicates the external Flash card.

• flash:/[path/]filename

ASDM Image Location The location of the ASDM software image to be used when ASDM sessions are initiated. Use the following syntax:


Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.


Indicates the external Flash card.


• tftp://[user[:password]@]server[:port]/[path/]filename

Boot Images Table

No. Identifies the number of the boot image.

Images Identifies the path and name of the boot image.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceClock Page

Images Dialog BoxUse the Images dialog box to add a boot image entry to the boot order list.

Navigation Path

You can access the Images dialog box from the Boot Image/Configuration page. For more information about the Boot Image/Configuration page, see Boot Image/Configuration Page, page 50-41.

Related Topics

• Configuring Boot Image and Configuration Settings, page 39-24

• Boot Image/Configuration Page, page 50-41

Field Reference

Clock PageThe Clock page lets you set the date and time for the security appliance. In multiple context mode, set the time in the system configuration only.

To dynamically set the time using an NTP server, see NTP Page, page 43-16; time derived from an NTP server overrides any time set manually on the Clock page.

Navigation Path

• (Device view) Select Platform > Device Admin > Clock from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Clock Settings, page 39-25

• NTP Page, page 43-16

Table 50-28 Images Dialog Box

Element Description

Image File Enter the path and name of the image file to add to the boot order list. See the following syntax:


This option is available only for the ASA platform, and indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.


This option is available only for the ASA platform, and indicates the external Flash card.


• tftp://[user[:password]@]server[:port]/[path/]filename


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceClock Page

Field Reference

Table 50-29 Clock Page

Element Description

Device Time Zone Select the time zone for the device from the list.

Daylight Savings Time (Summer Time)

Select whether daylight savings time is used and if so what method is used to specify when daylight savings time applies:

None—Disables daylight savings time on the security appliance.

Set by Date—Select this option to specify the date and time when daylight savings time begins and ends for a specific year. If you use this option, you need to reset the dates every year.

Set Recurring—Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.

Set by Date

Date (Begin/End) Enter the date on which daylight savings time begins and ends in MMM dd YYYY format (for example, Jul 15 2005). You can also click Calendar to select the date from a calendar.

Hour (Begin/End) Select the hour, from 00 to 23, in which daylight savings time begins and the hour in which it ends.

Minute (Begin/End) Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.

Set Recurring

Specify Recurring Time Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.

Month (Begin/End) Select the month in which daylight savings time begins and the month in which it ends.

Week (Begin/End) Select the week of the month in which daylight savings time begins and the week in which it ends. You can select the numerical value that corresponds to the week, 1 through 5, or you can specify the first or last week in the month by selecting first or last. For example, if the day might fall in the partial fifth week, specify “last”.

Weekday (Begin/End) Select the day on which daylight savings time begins and the day on which it ends.

Hour (Begin/End) Select the hour, from 0 to 23, in which daylight savings time begins and the hour in which it ends.

Minute (Begin/End) Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceCredentials Page

Credentials PageUse the Credentials page to specify the future contact settings that Security Manager should use when contacting a device. You can also use the Contact Credentials page to change the login password and the enable password on a device.

Navigation Path

• (Device view) Select Platform > Device Admin > Credentials from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Credentials from the Policy Type selector. Right-click Credentials to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

• Configuring Contact Credentials, page 39-26

• Configuring User Accounts, page 42-6

Field Reference

CPU Threshold PageUse the CPU Threshold Page to specify the percentage of CPU usage above which you want to receive a notification and the duration that the usage must remain above that threshold before the notification is generated.

Navigation Path

• (Device view) Select Platform > Device Admin > CPU Threshold from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU Threshold from the Policy Type selector. Right-click CPU Threshold to create a policy, or select an existing policy from the Shared Policy selector.

Table 50-30 Contact Credentials Page

Element Description

Username Specifies the username for logging in to the device.

Password Specifies the password for logging in to the device.

Confirm Confirms the password entered in the Password field. The values in the Password and Confirm fields must match before you can save these settings.

Privilege Level Specifies the privilege level of the user logging in to the device.

Enable Password Specifies the new enable password for the device.

Confirm Confirms the password entered in the Enable Password field. The values in the Enable Password and Confirm fields must match before you can save these settings.

Telnet/SSH Password Specifies the new login password for the device.

Confirm Confirms the password entered in the Telnet/SSH Password field. The values in the Telnet/SSH Password and Confirm fields must match before you can save these settings.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceCPU Threshold Page

Related Topics

• Configuring SNMP, page 40-7

• SNMP Page, page 40-8

• SNMP Trap Configuration Dialog Box, page 40-9

Field Reference

Table 50-31 CPU Threshold Page

Element Description

CPU Rising Threshold Percentage

Enter the percentage of CPU usage above which you want to receive a notification. If the CPU utilization percentage is equal to or above this value for the duration specified in the CPU Monitoring Period field then a notification will be sent.

CPU Monitoring Period (seconds)

Enter the number of seconds that the percentage of CPU usage must remain at or above the threshold set in the CPU Rising Threshold Percentage field before a notification is sent.


OL-23439-01

Chapter 50 PIX/ASA/FWSM Platform User Interface ReferenceCPU Threshold Page


OL-23439-01

PIX/ASA/FWSM Platform User Interface Reference · Chapter 50 PIX/ASA/FWSM Platform User Interface...

Documents

Transcript of PIX/ASA/FWSM Platform User Interface Reference · Chapter 50 PIX/ASA/FWSM Platform User Interface...