Having discussed how to administer Cisco ASA using the ASDM, here is a brief description of some important parameters.
Interface: This identifies either the hardware interface or the switch vlan interface that needs to be configured. When in the interface configuration mode (e.g e0/1), they can be assigned to a physical interface of the switch port and as well as making the interface active.
Note: Names and security levels can be assigned to a VLAN interface as well.
Nameif: This gives the interface a name and at the same time assigns a security level such as outside, inside, or DMZ.
Security-level: These are numeric values from 0 to 100, used by the ASA to control traffic flow. Traffics are only permitted to flow from higher security levels to lower security levels and not vice versa. In other to allow access from the lower security level, access-lists must be used to allow traffic to flow from lower security levels to higher security levels as the default security is 0 for the outside interface.
Here are the steps for assigning virtual interfaces to Cisco ASA. First and foremost, we assign the inside and outside VLAN interfaces, then the DMZ interface is configured and a security level of 50 is assigned to it as shown in the configuration below.
ASA(config)# interface vlan1
ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# interface vlan2
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# interface vlan3
ASA(config-if)# nameif dmz
ASA(config-if)# security-level 50IP Address: They are used to assign an IP address to a VLAN interface either statically or dynamically (that is making the interface a DHCP Client).
With recent versions of ASA software, it is not vital to configure default subnet masks as we can see below. But when using a classless mask, you have to expressly configure the mask, otherwise, it is is not important.
In this demonstration, the IP address assigned to VLAN 2, the outside interface. Note: Ethernet port 0 is used in connecting to the outside world and belongs to VLAN 2.
ASA(config-if)# interface vlan 2
ASA(config-if)# ip address x9.xx.3x.21Assigning a DHCP address to a cisco ASA interface, here we are configuring interface VLAN 1, the inside interface as a DHCP client in order to be able to get an IP address. Note: Setroute ensures the it gets all its IP parameters from the DHCP server.
ASA(config-if)# interface vlan 1
ASA(config-if)# ip address dhcp setroute
Assigning Ports to Vlans: In this step you can assign ports to the particular VLAN you want as shown below. e.g you want to add e0/0 to vlan 2
ASA(config-if)# interface ethernet 0/0
ASA(config-if)# switchport access vlan 2
ASA(config-if)# no shutdownand lastly
ASA(config-if)# interface ethernet 0/1
ASA(config-if)# switchport access vlan 1
ASA(config-if)# no shutdownNetwork Object: Object network “MyNameD”. The object network “MyNameD” can basically be any word or number which is used to create an object named “MyNameD”. The network option specifies that this particular object will be based on IP addresses. The subnet 10.1x.1.x 255.0.0.0 command states that “MyNameD” will affect any IP address beginning with 192.168.1x.x
ASA(config-if)#object network MyNameD
ASA(config-network-object)#subnet 10.1x.1.x 255.x.0.0Network Address Translation (NAT): Enables the ASA to permit outgoing traffic from the inside interface to the outside interface to use any address dynamically or statically configured on the outside interface.
ASA(config)#nat (inside,outside) dynamic interfaceRoute: This command assigns a default route for traffic, typically to an ISP’s router. It can also be used to direct traffic specific to specific subnets.
In this example, the route command is used to configure a default route to the ISP’s router at 10.1x.1.x. These two zeroes before the ISP’s router IP address are a short form of its full IP e.g 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.
ASA(config-if)# route outside 0 0 10.10.1.3On other versions of Cisco ASA Configuring, the interface configuration are different. Notice on the screen capture from a Cisco ASA 5510, 5520 and 5540 etc. The nameif command is used to name physical interfaces instead of VLAN interfaces. and thereafter the VLAN interface is associated.