Interfaces

 

 

  1. Assign an IP Address and Subnet Mask

    2. Run ip address against each interface in the firewall that connects to another network.

    For unused interfaces, firewall assigns 127.0.0.1 (the local host address) to each interface and a subnet mask of 255.255.255.255 that does not permit traffic to flow through the interface. The 127.0.0.1 address is the Internet address for the local host and is not used by any Internet site.

    The format for ip address is as follows:

    ip address inside ip_address netmask
    ip address outside ip_address netmask

    Replace ip_address with the IP address you specify for the interface.

    The IP addresses that you assign should be unique for each interface. Do not use an address you previously used for routers, hosts, or with any other firewall command, such as an IP address in the global pool or for a static.

    Replace netmask with the network mask for the IP address:

    Netmask Class Begins With
    255.0.0.0 A 1 to 127
    255.255.0.0 B 128 to 191
    255.255.255.0 C 192 and higher

    Do not use 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface. If subnetting is in use, use the subnet in the mask; for example, 255.255.255.228.

    Specify the network mask using ip address. If you let the firewall assign a network mask based on the IP address, you may not be permitted to enter subsequent IP addresses if another interface's address is in the same range as the first address.

    For example, if you specify an inside interface address of 10.1.1.1 without specifying a network mask and then try to specify 10.1.2.2 for a perimeter interface mask, firewall displays the error message, "Sorry, not allowed to enter IP address on same network as interface n." To fix this problem, reenter the first command specifying the correct network mask.

    Use show ip to view the commands you entered.

    If you make a mistake while entering a command, reenter the same command with new information.

    An example ip address command follows:

    ip address inside 192.168.1.1 255.255.255.0

     

  2. Configure Interface Hardware and Speed

    3. All interfaces in a new firewall are shut down by default. To enable, use the interface command.

    If you have Ethernet interfaces in the firewall, the default configuration provides the necessary options. If the firewall has Gigabit Ethernet there are additional considerations.

    The format for the interface command is as follows:

    interface hardware_id hardware_speed [shutdown]

    Use write terminal to view interface configuration information.

    If you make a mistake while entering an interface command, reenter the same command with new information.

    Make sure the MTU is no more than 1500 bytes for Ethernet.

     

  3. Set Interface Name and Security Level

    4. Each interface has a unique name and security level that you can change using nameif . By default, Ethernet0 is named outside and assigned the level security0. Ethernet1 is named inside with the level security 100. By default, perimeter interfaces are named infn, where n represents the position of the interface card in the firewall. The default security level of perimeter interfaces starts at security10 for ethernet2 (intf2), and increments by 5 for each additional interface.

    You can skip this section if you are using the default interface names and security levels.

    Use show nameif to view the current names and security levels for each interface.

    nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10

    Security levels let you control access between systems on different interfaces and the way you enable or restrict access depends on the relative security level of the interfaces:

    • To enable access to a higher security level interface from a lower level interface run static and access-list

    • To enable access to a lower level interface from a higher level interface run nat and global.

    Locate servers on the lowest security level perimeter interface, because if compromised, the attacker could only easily attack an interface with a lower security level, the outside. The only exception to putting servers on the lowest perimeter interface is for TFTP servers.

    The format for nameif is as follows:

    nameif hardware_id interface security_level

    Replace interface with any meaningful name, such as dmz or perim.

    Shorter names are better than long names. You can use up to 48 characters. The default names are inftn, where n represents the position of the interface card in the firewall.

    Replace security_level with a value such as security40 or security60.

    The default security levels for perimeter interfaces increment by 5 for each interface starting with security10 for intf2 (the default name for the first perimeter interface). For example:

    inft3 = security15
    inft4 = security20
    inft5 = security25

    You can choose any unique security level between 1 and 99 for a perimeter interface. If you have four or more interfaces, it will be easier to enter the configuration if you use the higher security level for the perimeter interface with more hosts.