ASA Interface configuration

!show the names given to each interface
show nameif
!show the vlan-to-port mappings
show switch vlan

redundant interface
!One is active one is standby
!must be the same type/speed/duplex etc..
!create the redundant interface

interface redundant 1
!add a physical interface as a member of the redundant interface
member-interface ethernet0/0
member-interface ethernet0/1
no shut
interface ethernet0/0
speed 100
duplex full
no shut
interface ethernet0/1
speed 100
duplex full
no shut

The order in which you configure the interfaces is important. The first physical interface added to a logical redundant interface will become the active interface.
The two interfaces trade the active role back and forth only when one of them fails nothing else should be configured on the physical interface

Trunk interface on ASA 5510 and higher
ciscoasa(config)# interface ethernet0/3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet0/3.1
ciscoasa(config-subif)# vlan 10
ciscoasa(config-subif)# no shutdown
ciscoasa(config-subif)# interface ethernet0/3.2
ciscoasa(config-subif)# vlan 20
ciscoasa(config-subif)# no shutdown

Trunk interface on ASA 5505
On an ASA 5505, VLANs are supported on the physical interfaces, but only if corresponding logical VLAN interfaces are configured
ciscoasa(config)# interface vlan 10
ciscoasa(config-if)# exit
ciscoasa(config)# interface vlan 20
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet0/5
ciscoasa(config-if)# switchport mode trunk
ciscoasa(config-if)# switchport trunk allowed vlan 10,20

By default, no VLANs are permitted to be carried over a trunk link

Interface Security Parameters
IP address from dhcp
ciscoasa(config-if)# ip address dhcp [setroute]
Adding the setroute keyword causes the ASA to set its default route automatically, based on the default gateway parameter that is returned in the DHCP reply

Security Level
ASA platforms have some inherent security policies that are based on security level assigned to each interface. Interfaces with a higher security level are considered to be more trusted than interfaces with a lower security level
outside= 0
dmz = 50
inside = 100

Two following inherent policies that an ASA
1]Traffic is allowed to flow from a higher-security interface to a lower-security interface provided that any access list, stateful inspection, and address translation requirements are met.
2]Traffic from a lower-security interface to a higher one cannot pass unless additional explicit inspection and filtering checks are passed.

If two interfaces have the same security level, the default security policy will not permit any traffic
to pass between the two interfaces at all. You can override this behavior with the samesecurity-
traffic permit inter-interface command

The number of ASA interfaces is greater than the number of unique security level values.
This happens when there is more then 101 vlan’s on the ASA. To reuse security level numbers and relax the security level constraint between interfaces use the following cmd same-security-traffic permit inter-interface

Traffic must enter and exit through the same interface, traversing the same security level:
When an ASA is configured to support logical VPN connections, multiple connections might terminate on the same ASA interface. hub and spoke for vpn tunnels same-security-traffic permit intra-interface

ciscoasa(config)# interface ethernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# interface ethernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# interface ethernet0/2
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# ip address
ciscoasa(config-if)# security-level 50

Tags: ,

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK.