Configuring The Interface - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring the Interface

•
•
•
Configuring the Interface
By default, all physical interfaces are shut down. You must enable the physical interface before any
traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical
interface or subinterface to a context, the interfaces are enabled by default in the context. However,
before traffic can pass through the context interface, you must also enable the interface in the system
configuration. If you shut down an interface in the system execution space, then that interface is down
in all contexts that share it.
Before you can complete your configuration and allow traffic through the security appliance, you need
to configure an interface name, and for routed mode, an IP address. You should also change the security
level from the default, which is 0. If you name an interface "inside" and you do not set the security level
explicitly, then the security appliance sets the security level to 100.
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
and Stateful Failover communications. See
and state links.
For multiple context mode, follow these guidelines:
•
•
•
Note If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.
Cisco Security Appliance Command Line Configuration Guide
7-2
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configure the context interfaces from within each context.
You can only configure context interfaces that you already assigned to the context in the system
configuration.
The system configuration only lets you configure Ethernet settings and VLANs. The exception is
for failover interfaces; do not configure failover interfaces with this procedure. See the Failover
chapter for more information.
Chapter 7
Chapter 14, "Configuring Failover."
Configuring Interface Parameters
to configure the failover
OL-10088-01