A pix or firewall can have up to the 10 interfaces based upon PIX or ASA version and Interface module install on it. By default firewall is having two interfaces named as "Inside" and "Outside". We can change these assignments, and use them as we want.
A security level is also assigned to the interfaces as security level (0 to 100, from lowest to highest). PIX 7.3 is an exception, where the security level is given with the keyword security-level, followed by the number (0 to 100). Security levels 0 and 100 are reserved for the "Outside" and "Inside" interfaces. Other perimeter interfaces should have level 1 to 99. Example:
PIX |
Firewall(config)#nameif gb-ethernet0 outside security0 |
ASA |
Firewall(config)# interface gigabitethernet0 Firewall(config-if)# nameif outside Firewall(config-if)# security-level 0 |
Security levels are used to determine how the firewall inspects and handles traffic. For example, traffic passing from a higher-security interface towards to a lower one is assumed to be going towards a less-secure area. Therefore, it is forwarded with less-stringent policies than policies than traffic coming in toward a higher-security area.
In PIX firewall interfaces must have different security levels, But ASA is having exceptions, which allows interfaces to have same security level only if the same-security-traffic permit inter-interface global configuration command has been used. In that case, traffic is forwarded according to policies set by access lists, with no regard to higher or lower security levels.
Assigning an IP address:
You can assign a static IP address if one is known and available for the firewall. Otherwise, you can configure the firewall to request an address from either a DHCP server or through PPPoE. (Your ISP should provide details about obtaining an address.) Choose one of the following steps:
-
(Optional) Assign a static address:
Firewall(config)# ip address if_name ip_address [netmask]
If you have a static IP address that the firewall can use, you can assign it here. interface named if_name (inside or outside, for example) uses the IP address and subnet mask given.
If you omit the netmask parameter, the firewall assumes that a classful network (Class A, B, or C) is being used.
For example, if the first octet of the IP address is 1 through 126 (1.0.0.0 through 126.255.255.255), a Class A netmask (255.0.0.0) is assumed.
If the first octet is 128 through 191 (128.0.0.0 through 191.255.255.255), a Class B netmask (255.255.0.0) is assumed.
If the first octet is 192 through 223 (192.0.0.0 through 223.255.255.255), a Class C netmask (255.255.255.0) is assumed.
If you use subnetting in your network, be sure to specify the correct netmask rater than the classful mask (255.0.0.0, 255.255.0.0, or 255.255.255.0) that the firewall derives from the IP address.
-
Obtain an address via DHCP:
Firewall (config) # ip address outside dhcp [setroute] [retry retry_cnt]
Generally, the outside interface points toward an ISP. Therefore, the firewall can generate DHCP requests from that interface. If no reply is received, the firewall retries the request up to retry_cnt times (4 to 16; the default is 4).
You can also set the firewall's default route from the default gateway parameter returned in the DHCP reply. To do this, use the setroute keyword; otherwise, you have to explicitly configure a default route.
Tip
You can release and renew the DHCP lease for the outside interface by entering this configuration command again.
-
Obtain an address through PPPoE:
A PIX or an ASA (beginning with release 8.0) platform can use a PPPoE client to make a broadband connection to an ISP. Point-to-Point Protocol over Ethernet (PPPoE) is a practical way of using the firewall's physical Ethernet interface to communicate with an ISP over traditional PPP infrastructure. PPPoE is supported only when the firewall is configured for single context, routed mode, without failover.
Like PPP, PPPoE requires the remote access client (the ASA, in this case) to authenticate and obtain network parameters before it can begin communicating over the link. To do this, the firewall uses a Virtual Private Dialup Network (VPDN) group. The group specifies the authentication method and the username and password credentials assigned by the ISP. You can use the following steps to configure the PPPoE client:
- Define a username for PPPoE authentication:
FWSM -
PIX |
Firewall(config)# vpdn username username password passwd [store-local] |
ASA |
Firewall(config)# vpdn username username password passwd [store-local] |
The firewall authenticates itself with an ISP using a username username (a text string) and password passwd (an unencrypted text string). You can repeat this
command to define multiple usernames and passwords if several ISPs are possible. By default, the username and password are entered into the firewall configuration as a part of this command. If you use a management tool such as Cisco Security Manager (CSM) or CiscoWorks Firewall Management Center to deploy the firewall, a template configuration might overwrite a valid username and password. You can choose to store the username and password locally in the firewall's Flash memory by adding the store-local keyword.
- (Optional) Define a VPDN group to contain PPPoE parameters:
PIX |
Firewall(config)# vpdn group group_name localname username |
ASA |
Firewall(config)# vpdn group group_name localname username |
The firewall can associate PPPoE parameters into groups such that one group is used to negotiate with one ISP. Here, the group_name is an arbitrary name (up to 63 characters) that points to a locally defined username username and password pair. This pair should already be configured with the vpdn username username command.
- Set the PPPoE authentication method:
PIX |
Firewall(config)# vpdn group group_name ppp authentication {pap | chap | mschap} |
ASA |
Firewall(config)# vpdn group group_name ppp authentication {pap | chap | mschap} |
For the VPDN group, you should use the same authentication method that your ISP uses: pap (Password Authentication Protocol, with cleartext exchange of credentials), chap (Challenge Handshake Authentication Protocol, with encrypted exchange), or mschap (Microsoft CHAP, version 1 only).
- Enable PPPoE requests using a VPDN group:
PIX |
Firewall(config)# vpdn group group_name request dialout pppoe |
ASA |
Firewall(config)# vpdn group group_name request dialout pppoe |
The firewall builds PPPoE requests using the parameters defined in VPDN group group_name.
- Request IP address information on the outside interface:
PIX |
Firewall(config)# ip address outside pppoe [setroute] |
ASA |
Firewall(config)# interface if_name Firewall(config-if)# ip address pppoe [setroute] |
The firewall sends PPPoE requests on its outside interface to authenticate and obtain an IP address and subnet mask from the ISP. If the default gateway that is returned should be used as the firewall's default route, add the setroute keyword. Otherwise, a default route must be configured manually on the firewall.
You can renegotiate the address parameters with the ISP by entering this configuration command again.
If you already have a static IP address assigned by the ISP, you can use an alternative command:
Firewall(config)# ip address outside ip-address netmask pppoe [setroute]
Here, the IP address and netmask are already known. The firewall still authenticates with the ISP through PPPoE, but it uses these values rather than negotiating them. As an example of PPPoE interface configuration, the following commands can be used to define a VPDN group for one ISP that can be used by the firewall:
Firewall(config)# vpdn username JohnDoe password JDsecret
Firewall(config)# vpdn group ISP1 localname JohnDoe
Firewall(config)# vpdn group ISP1 ppp authentication chap
Firewall(config)# vpdn group ISP1 request dialout pppoe
Firewall(config)# ip address outside pppoe setroute
Verify the IP Address
Firewall# show ip
Or
Firewall # show ip if_name {dhcp | pppoe}
Ping the next-hop gateway address:
Firewall # ping [[if_name] ip_address
You can send ICMP echo requests to the next-hop gateway or a host located on the same subnet as the firewall interface. You can specify which firewall interface name to use with if_name, but this is not required. The target is at ip_address.
If ICMP replies are received, they are reported along with the round-trip time, as in this example:
Firewall# ping 192.168.199.4 192.168.199.4 response received -- 0ms 192.168.199.4 response received -- 30ms 192.168.199.4 response received -- 0ms Firewall# |
Verify PPPoE operation:
As soon as the PPPoE client is configured and the interface is connected and is operational, the firewall automatically attempts to bring up the PPPoE connection.
You can see the status with the following command:
Firewall# show vpdn session
For example, if the PPPoE client has negotiated its connection, you might see the following output:
Firewall# show vpdn session PPPoE Session Information (Total tunnels=1 sessions=1) Remote Internet Address is 192.168.11.1 Session state is SESSION_UP Time since event change 10002 secs, interface outside PPP interface id is 1 36 packets sent, 36 received, 1412 bytes sent, 0 received Firewall# |
If the PPPoE connection does not come up normally, you can use the debug pppoe event command to see PPPoE negotiation events as they occur.
A firewall has three interfaces:
-
inside (gb-ethernet0)
-
outside (gb-ethernet1)
-
dmz (gb-ethernet2)
These interfaces have IP addresses 172.16.1.1, 172.17.1.1, and 172.18.1.1, respectively. The configuration commands needed are as follows, for both PIX 6.3 and ASA releases:
PIX 6.3 |
ASA |
Firewall(config)# interface gbethernet0 1000auto Firewall(config)# interface gbethernet1 1000auto Firewall(config)# interface gbethernet2 1000auto Firewall(config)# nameif gb-ethernet0 inside security 100 Firewall(config)# nameif gb-ethernet1 outside security 0 Firewall(config)# nameif gb-ethernet2 dmz security 50 Firewall(config)# ip address inside 172.16.1.1 255.255.0.0 Firewall(config)# ip address outside 172.17.1.1 255.255.0.0 Firewall(config)# ip address dmz 172.18.1.1 255.255.0.0 |
Firewall(config)# interface gigabitethernet0 Firewall(config-if)# speed auto Firewall(config-if)# duplex auto Firewall(config-if)# nameif inside Firewall(config-if)# security-level 100 Firewall(config-if)# ip address 172.16.1.1 255.255.0.0 Firewall(config)# interface gigabitethernet1 Firewall(config-if)# speed auto Firewall(config-if)# duplex auto Firewall(config-if)# nameif outside Firewall(config-if)# security-level 0 Firewall(config-if)# ip address 172.17.1.1 255.255.0.0 Firewall(config)# interface gigabitethernet2 Firewall(config-if)# speed auto Firewall(config-if)# duplex auto Firewall(config-if)# nameif dmz Firewall(config-if)# security-level 50 Firewall(config-if)# ip address 172.18.1.1 255.255.0.0 |
PIX 6.3 ASA
Firewall# configure terminal
Firewall(config)# nameif vlan100 inside security100
Firewall(config)# nameif vlan200 outside security0
Firewall(config)# nameif vlan300 dmz security50
Firewall(config)# ip address inside 172.16.1.1 255.255.0.0
Firewall(config)# ip address outside 172.17.1.1 255.255.0.0
Firewall(config)# ip address dmz 172.18.1.1 255.255.0.0
As a final example, consider an ASA or PIX Firewall in a similar scenario. Here, a single physical interface (gb-ethernet0) is configured as a trunk. The inside, outside, and dmz interfaces are all logical, as VLANs 100, 200, and 300, respectively. The configuration commands needed are shown as follows for both the PIX 6.3 and ASA releases:
PIX 6.3 |
ASA |
Firewall(config)# interface gb-ethernet0 1000auto Firewall(config)# interface gb-ethernet0 100 physical Firewall(config)# interface gb-ethernet0 200 logical Firewall(config)# interface gb-ethernet0 300 logical Firewall(config)# nameif vlan100 inside security100 Firewall(config)# nameif vlan200 outside security0 Firewall(config)# nameif vlan300 dmz security50 Firewall(config)# ip address inside 172.16.1.1 255.255.0.0 Firewall(config)# ip address outside 172.17.1.1 255.255.0.0 Firewall(config)# ip address dmz 172.18.1.1 255.255.0.0 |
Firewall(config)# interface gigabitethernet0 Firewall(config-if)# speed auto Firewall(config-if)# duplex auto Firewall(config-if)# no nameif Firewall(config-if)# interface gigabitethernet0.1 Firewall(config-if)# vlan 100 Firewall(config-if)# nameif inside Firewall(config-if)# security-level 100 Firewall(config-if)# ip address 172.16.1.1 255.255.0.0 Firewall(config-if)# interface gigabitethernet0.2 Firewall(config-if)# vlan 200 Firewall(config-if)# nameif outside Firewall(config-if)# security-level 0 Firewall(config-if)# ip address 172.17.1.1 255.255.0.0 Firewall(config)# interface gigabitethernet0.3 |