Cisco ASA 5505 Configuration Manual page 233

Chapter 8 Configuring Interfaces
You can only enable SPAN monitoring using the Command Line Interface tool by entering the
switchport monitor command. See the switchport monitor command in the Cisco ASA 5500 Series
Command Reference for more information.
ASA 5580 Interfaces
The ASA 5580 adaptive security appliance supports multiple types of Ethernet interfaces including
Gigabit Ethernet and 10-Gigabit Ethernet speeds, and copper and fiber connectors. See the Cisco ASA
5580 Adaptive Security Appliance Getting Started Guide for detailed information about the interface
adapters available for the ASA 5580 adaptive security appliance, and which slots support each adapter
type.
Auto-MDI/MDIX Feature
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and
duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is
always enabled and you cannot disable it.
Security Levels
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the
section on page 8-31
The level controls the following behavior:
•
•
•
OL-20339-01
for more information.
Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the
Communication" section on page
interfaces on the same security level or lower.
Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engine—Applied only for outbound connections.
–
SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
–
exists between a pair of hosts, then only an inbound data connection is permitted through the
adaptive security appliance.
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
If you enable communication for same security interfaces, you can filter traffic in either direction.
"Allowing Same Security Level Communication"
8-31), there is an implicit permit for interfaces to access other
Cisco ASA 5500 Series Configuration Guide using ASDM
Information About Interfaces
"Allowing Same Security Level
8-5