Routing Protocol Selection Criteria
Cisco Networking: Wireshark Data Filters
Configuring an Infrastructure Mode WLAN with Windows 7

Cisco Adaptive Security Appliance (ASA) Configuration: Interfaces

To start the configuration of Fast Ethernet and Gigabit Ethernet interfaces on your Cisco Adaptive Security Appliance (ASA), first connect to your ASA and get into Global Configuration mode using this set command:

ASAFirewall1>enable
Password:
ASAFirewall1#configure terminal

The next step is to choose your interface by number. You can choose from Ethernet (which actually means Fast Ethernet on the ASA) or Gigabit interfaces. After choosing Ethernet or Gigabit, specify the port number.

All devices in current IOS versions are numbered starting at the motherboard in one of these formats: network-module-slot/port, 0/interface-card-slot/port, or network-module-slot/interface-card-slot/port. Effectively, all modules are connected to the motherboard slot on the ASA, which is always slot 0 (this is the first zero in the interface name):

ASAFirewall1(config)#interface Ethernet 0/0

Now you can set the specifics of the network connection or use the Auto settings for Duplex and Speed modes. Duplex modes include Full- or Half-Duplex, whereas speeds are typically from 10 Mbps up to the speed of the interface:

ASAFirewall1(config-if)#duplex auto
ASAFirewall1(config-if)#speed auto

For switches, you might not want to use the description option to name interfaces, but it is a good idea on your ASA to give yourself a description to help prevent you from changing the configuration on the wrong interface. (It can be a career-limiting move to shut down the wrong interface at a critical time in your business!)

The description does nothing to assist with the configuration; it only prevents some level of human error:

ASAFirewall1(config-if)#description Internal Interface

This may seem a little strange. You have done all this work, so there is a good chance that you want to use this interface now. But exit out of the configuration and check your running configuration; you notice one configuration item that is a little strange:

ASAFirewall1#show running-config interface Ethernet 0/0
!
interface Ethernet0/0
switchport access vlan 2

So there is one important item that is missing, or actually, is present. Unlike routers, all the interfaces on your ASA are enabled by default, but they are all put into the default inside VLAN. As with your switch interfaces, the no shutdown command gets rid of the shutdown command. Complete the configuration of your ASA interface with the following command:

ASAFirewall1(config-if)#no shutdown

If you are working on the console or have terminal monitor enabled, you receive a status message telling you that the interface has been enabled. This message is similar to the following:

%LINK-5-CHANGED: Interface Ethernet0/0, changed state to up

That is everything that is required (and then some) for you to configure an ASA interface. If you trust the Auto settings for Speed and Duplex modes, you likely just need to assign an IP address to the VLAN interfaces and associate one or more ports to that VLAN interface.

A description is nice to have and other configuration options are required based on configuration of other parts of your network, such as VLAN configuration.

After you have the interface up and running, if you are using auto for your speed and duplex settings, examine the interface to ensure that it has detected settings that you are happy with. Do this with the show interface command:

ASAFirewall1# show interface Ethernet 0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 001f.ca8c.93d2, MTU not set
        IP address unassigned
        13666 packets input, 1134634 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        13660 switch ingress policy drops
        142 packets output, 13321 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops

In all that information, notice that the interface and line protocols should both be up, or properly connected to the network and communicating with other devices. In the preceding example, the interface detected Full-Duplex as well as a speed of 100 Mbps. Incorrect Duplex settings between ends of a connection can cause packet errors.

blog comments powered by Disqus
Working with Enhanced Interior Gateway Routing Protocol (EIGRP)
VLAN Trunking Protocol (VTP) Configuration Revision Number Management
Network Firewalls: Defending Data with the DMZ
Cisco Switch Setup Wizard Execution
Cisco Adaptive Security Appliance (ASA) Configuration: Standard Firewall Ports
Advertisement

Inside Dummies.com