Reader Level:
ARTICLE

How we configure interfaces of PIX or ASA

Posted by Parveen Malik Articles | Security in .NET January 12, 2009
A pix or firewall can have up to the 10 interfaces based upon PIX or ASA version and Interface module install on it.
  • 0
  • 0
  • 10336


A pix or firewall can have up to the 10 interfaces based upon PIX or ASA version and Interface module install on it. By default firewall is having two interfaces named as "Inside" and "Outside". We can change these assignments, and use them as we want.

A security level is also assigned to the interfaces as security level (0 to 100, from lowest to highest). PIX 7.3 is an exception, where the security level is given with the keyword security-level, followed by the number (0 to 100). Security levels 0 and 100 are reserved for the "Outside" and "Inside" interfaces. Other perimeter interfaces should have level 1 to 99. Example:

PIX Firewall(config)#nameif gb-ethernet0 outside security0
ASA Firewall(config)# interface gigabitethernet0
Firewall(config-if)# nameif outside
Firewall(config-if)# security-level 0

Security levels are used to determine how the firewall inspects and handles traffic. For example, traffic passing from a higher-security interface towards to a lower one is assumed to be going towards a less-secure area. Therefore, it is forwarded with less-stringent policies than policies than traffic coming in toward a higher-security area.

In PIX firewall interfaces must have different security levels, But ASA is having exceptions, which allows interfaces to have same security level only if the same-security-traffic permit inter-interface global configuration command has been used. In that case, traffic is forwarded according to policies set by access lists, with no regard to higher or lower security levels.

Assigning an IP address:

You can assign a static IP address if one is known and available for the firewall. Otherwise, you can configure the firewall to request an address from either a DHCP server or through PPPoE. (Your ISP should provide details about obtaining an address.) Choose one of the following steps:

  1. (Optional) Assign a static address:

    Firewall(config)# ip address if_name ip_address [netmask]

    If you have a static IP address that the firewall can use, you can assign it here. interface named if_name (inside or outside, for example) uses the IP address and subnet mask given.

    If you omit the netmask parameter, the firewall assumes that a classful network (Class A, B, or C) is being used.

    For example, if the first octet of the IP address is 1 through 126 (1.0.0.0 through 126.255.255.255), a Class A netmask (255.0.0.0) is assumed.

    If the first octet is 128 through 191 (128.0.0.0 through 191.255.255.255), a Class B netmask (255.255.0.0) is assumed.

    If the first octet is 192 through 223 (192.0.0.0 through 223.255.255.255), a Class C netmask (255.255.255.0) is assumed.

    If you use subnetting in your network, be sure to specify the correct netmask rater than the classful mask (255.0.0.0, 255.255.0.0, or 255.255.255.0) that the firewall derives from the IP address.
     
  2. Obtain an address via DHCP:

    Firewall (config) # ip address outside dhcp [setroute] [retry retry_cnt]

    Generally, the outside interface points toward an ISP. Therefore, the firewall can generate DHCP requests from that interface. If no reply is received, the firewall retries the request up to retry_cnt times (4 to 16; the default is 4).

    You can also set the firewall's default route from the default gateway parameter returned in the DHCP reply. To do this, use the setroute keyword; otherwise, you have to explicitly configure a default route.

    Tip
    You can release and renew the DHCP lease for the outside interface by entering this configuration command again.
     
  3. Obtain an address through PPPoE:

    A PIX or an ASA (beginning with release 8.0) platform can use a PPPoE client to make a broadband connection to an ISP. Point-to-Point Protocol over Ethernet (PPPoE) is a practical way of using the firewall's physical Ethernet interface to communicate with an ISP over traditional PPP infrastructure. PPPoE is supported only when the firewall is configured for single context, routed mode, without failover.

    Like PPP, PPPoE requires the remote access client (the ASA, in this case) to authenticate and obtain network parameters before it can begin communicating over the link. To do this, the firewall uses a Virtual Private Dialup Network (VPDN) group. The group specifies the authentication method and the username and password credentials assigned by the ISP. You can use the following steps to configure the PPPoE client:

- Define a username for PPPoE authentication:

FWSM -

PIX Firewall(config)# vpdn username username password passwd
[store-local]
ASA Firewall(config)# vpdn username username password passwd
[store-local]

The firewall authenticates itself with an ISP using a username username (a text string) and password passwd (an unencrypted text string). You can repeat this
command to define multiple usernames and passwords if several ISPs are possible. By default, the username and password are entered into the firewall configuration as a part of this command. If you use a management tool such as Cisco Security Manager (CSM) or CiscoWorks Firewall Management Center to deploy the firewall, a template configuration might overwrite a valid username and password. You can choose to store the username and password locally in the firewall's Flash memory by adding the store-local keyword.

- (Optional) Define a VPDN group to contain PPPoE parameters:

PIX Firewall(config)# vpdn group group_name localname username
ASA Firewall(config)# vpdn group group_name localname username

The firewall can associate PPPoE parameters into groups such that one group is used to negotiate with one ISP. Here, the group_name is an arbitrary name (up to 63 characters) that points to a locally defined username username and password pair. This pair should already be configured with the vpdn username username command.

- Set the PPPoE authentication method:

PIX Firewall(config)# vpdn group group_name ppp authentication
{pap | chap | mschap}
ASA Firewall(config)# vpdn group group_name ppp authentication
{pap | chap | mschap}

For the VPDN group, you should use the same authentication method that your ISP uses: pap (Password Authentication Protocol, with cleartext exchange of credentials), chap (Challenge Handshake Authentication Protocol, with encrypted exchange), or mschap (Microsoft CHAP, version 1 only).

- Enable PPPoE requests using a VPDN group:

PIX Firewall(config)# vpdn group group_name request dialout pppoe
ASA Firewall(config)# vpdn group group_name request dialout pppoe

The firewall builds PPPoE requests using the parameters defined in VPDN group group_name.

- Request IP address information on the outside interface:

PIX Firewall(config)# ip address outside pppoe [setroute]
ASA Firewall(config)# interface if_name
Firewall(config-if)# ip address pppoe [setroute]

The firewall sends PPPoE requests on its outside interface to authenticate and obtain an IP address and subnet mask from the ISP. If the default gateway that is returned should be used as the firewall's default route, add the setroute keyword. Otherwise, a default route must be configured manually on the firewall.

You can renegotiate the address parameters with the ISP by entering this configuration command again.

If you already have a static IP address assigned by the ISP, you can use an alternative command:

Firewall(config)# ip address outside ip-address netmask pppoe [setroute]

Here, the IP address and netmask are already known. The firewall still authenticates with the ISP through PPPoE, but it uses these values rather than negotiating them. As an example of PPPoE interface configuration, the following commands can be used to define a VPDN group for one ISP that can be used by the firewall:

Firewall(config)# vpdn username JohnDoe password JDsecret
Firewall(config)# vpdn group ISP1 localname JohnDoe
Firewall(config)# vpdn group ISP1 ppp authentication chap
Firewall(config)# vpdn group ISP1 request dialout pppoe
Firewall(config)# ip address outside pppoe setroute


Verify the IP Address

Firewall# show ip
Or
Firewall # show ip if_name {dhcp | pppoe}

Ping the next-hop gateway address:

Firewall # ping [[if_name] ip_address

You can send ICMP echo requests to the next-hop gateway or a host located on the same subnet as the firewall interface. You can specify which firewall interface name to use with if_name, but this is not required. The target is at ip_address.

If ICMP replies are received, they are reported along with the round-trip time, as in this example:

Firewall# ping 192.168.199.4
192.168.199.4 response received -- 0ms
192.168.199.4 response received -- 30ms
192.168.199.4 response received -- 0ms
Firewall#

Verify PPPoE operation:

As soon as the PPPoE client is configured and the interface is connected and is operational, the firewall automatically attempts to bring up the PPPoE connection.

You can see the status with the following command:

Firewall# show vpdn session

For example, if the PPPoE client has negotiated its connection, you might see the following output:

Firewall# show vpdn session
PPPoE Session Information (Total tunnels=1 sessions=1)
Remote Internet Address is 192.168.11.1
Session state is SESSION_UP
Time since event change 10002 secs, interface outside
PPP interface id is 1
36 packets sent, 36 received, 1412 bytes sent, 0 received
Firewall#

If the PPPoE connection does not come up normally, you can use the debug pppoe event command to see PPPoE negotiation events as they occur.

Interface Configuration Examples

A firewall has three interfaces:

  • inside (gb-ethernet0)
  • outside (gb-ethernet1)
  • dmz (gb-ethernet2)

These interfaces have IP addresses 172.16.1.1, 172.17.1.1, and 172.18.1.1, respectively. The configuration commands needed are as follows, for both PIX 6.3 and ASA releases:

PIX 6.3 ASA
Firewall(config)# interface gbethernet0
1000auto
Firewall(config)# interface gbethernet1
1000auto
Firewall(config)# interface gbethernet2
1000auto
Firewall(config)# nameif gb-ethernet0
inside security 100
Firewall(config)# nameif gb-ethernet1
outside security 0
Firewall(config)# nameif gb-ethernet2
dmz
security 50
Firewall(config)# ip address inside
172.16.1.1 255.255.0.0
Firewall(config)# ip address outside
172.17.1.1 255.255.0.0
Firewall(config)# ip address dmz
172.18.1.1 255.255.0.0
Firewall(config)# interface
gigabitethernet0
Firewall(config-if)# speed auto
Firewall(config-if)# duplex auto
Firewall(config-if)# nameif inside
Firewall(config-if)# security-level
100
Firewall(config-if)# ip address
172.16.1.1
255.255.0.0
Firewall(config)# interface
gigabitethernet1
Firewall(config-if)# speed auto
Firewall(config-if)# duplex auto
Firewall(config-if)# nameif outside
Firewall(config-if)# security-level 0
Firewall(config-if)# ip address
172.17.1.1
255.255.0.0
Firewall(config)# interface
gigabitethernet2
Firewall(config-if)# speed auto
Firewall(config-if)# duplex auto
Firewall(config-if)# nameif dmz
Firewall(config-if)# security-level
50
Firewall(config-if)# ip address
172.18.1.1
255.255.0.0

PIX 6.3 ASA

Firewall# configure terminal
Firewall(config)# nameif vlan100 inside security100
Firewall(config)# nameif vlan200 outside security0
Firewall(config)# nameif vlan300 dmz security50
Firewall(config)# ip address inside 172.16.1.1 255.255.0.0
Firewall(config)# ip address outside 172.17.1.1 255.255.0.0
Firewall(config)# ip address dmz 172.18.1.1 255.255.0.0

As a final example, consider an ASA or PIX Firewall in a similar scenario. Here, a single physical interface (gb-ethernet0) is configured as a trunk. The inside, outside, and dmz interfaces are all logical, as VLANs 100, 200, and 300, respectively. The configuration commands needed are shown as follows for both the PIX 6.3 and ASA releases:

PIX 6.3 ASA
Firewall(config)# interface gb-ethernet0
1000auto
Firewall(config)# interface gb-ethernet0
100
physical
Firewall(config)# interface gb-ethernet0
200
logical
Firewall(config)# interface gb-ethernet0
300
logical
Firewall(config)# nameif vlan100 inside
security100
Firewall(config)# nameif vlan200 outside
security0
Firewall(config)# nameif vlan300 dmz
security50
Firewall(config)# ip address inside
172.16.1.1 255.255.0.0
Firewall(config)# ip address outside
172.17.1.1 255.255.0.0
Firewall(config)# ip address dmz
172.18.1.1
255.255.0.0
Firewall(config)# interface
gigabitethernet0
Firewall(config-if)# speed auto
Firewall(config-if)# duplex auto
Firewall(config-if)# no nameif
Firewall(config-if)# interface
gigabitethernet0.1
Firewall(config-if)# vlan 100
Firewall(config-if)# nameif inside
Firewall(config-if)# security-level
100
Firewall(config-if)# ip address
172.16.1.1 255.255.0.0
Firewall(config-if)# interface
gigabitethernet0.2
Firewall(config-if)# vlan 200
Firewall(config-if)# nameif outside
Firewall(config-if)# security-level
0
Firewall(config-if)# ip address
172.17.1.1 255.255.0.0
Firewall(config)# interface
gigabitethernet0.3

COMMENT USING

Trending up