Overview:
- Configuring Physical Interfaces
- Configuring VLAN Interfaces
- Configuring Interface Security parameters
- Configuring the Interface MTU
- Verifying Interface Operation
ASA interfaces can be physical or logical. to pass and inspect traffic, each interface must configure three security attributes:
- Interface name
- IP address and subnet mask
- Security level
Part 1: Configuring Physical Interfaces
You can see a list of the physical firewall interfaces:
ASA1# show version
Cisco Adaptive Security Appliance Software Version 9.1(5)16
Compiled on Mon 06-Oct-14 18:55 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ASA1 up 2 mins 19 secs
Hardware: ASA5520, 1024 MB RAM, CPU Clarkdale 2393 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 000c.2982.6d88, irq 10
1: Ext: GigabitEthernet1 : address is 000c.2982.6db0, irq 10
2: Ext: GigabitEthernet2 : address is 000c.2982.6d92, irq 5
3: Ext: GigabitEthernet3 : address is 000c.2982.6dba, irq 5
4: Ext: GigabitEthernet4 : address is 000c.2982.6d9c, irq 9
5: Ext: GigabitEthernet5 : address is 000c.2982.6da6, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 10000 perpetual
AnyConnect Essentials : 10000 perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 5000 perpetual
Total UC Proxy Sessions : 10000 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x9933e843 0x88a03a01 0xdd60b0f8 0xd2886c64 0x0f28fd93
Configuration register is 0x0
Configuration has not been modified since last system restart.
Configuring Interface Parameters
ciscoasa(config)#interface g0
ciscoasa(config-if)#speed {auto | 10 | 100 | 1000}
ciscoasa(config-if)#duplex {auto | full | half}
ciscoasa(config-if)#[no] shutdown
Configuring interface Redundancy
To keep an ASA interface up and active all the time, you can configure physical interfaces as redundant pairs.
ciscoasa(config)# interface redundant 1
ciscoasa(config-if)# member-interface ethernet0/0
INFO: security-level and IP address are cleared on Ethernet0/0.
ciscoasa(config-if)# member-interface ethernet0/1
INFO: security-level and IP address are cleared on Ethernet0/1.
ciscoasa(config-if)# no shutdown
Be aware that the member interface cannot have a security level or an IP address configured. In fact, as soon as you enter the member-interface command, the ASA will automatically clear those parameters from the physical interface configuration. You should repeat this command to add a second physical interface to the redundant pair.
Keep in mind that the order in which you configure the interfaces is important. The first physical interface added to a logical redundant interface will become the active interface. That interface will stay active until it loses its link status, causing the second or standby interface to take over. The standby interface can also take over when the active interface is administratively shut down with the shutdown interface configuration command.
The redundant interface also takes on the MAC address of the first member interface that you configure. Regardless of which physical interface is active, that same MAC address will be used. You can override this behavior by manually configuring a unique MAC address on the redundant interface with the mac-address mac_address interface configuration command.
Configuring VLAN Interfaces