45-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 45 Managing Firewall Devices
Configuring Firewall Device Interfaces
This section contains the following topics:
• Understanding Device Interfaces, page 45-3
• Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14
• Advanced Interface Settings (PIX/ASA/FWSM), page 45-42
Understanding Device Interfaces
An interface is a point of connection between a security device and some other network device.
Interfaces are initially disabled; thus, as an essential part of firewall configuration, interfaces must be
enabled and configured to allow appropriate packet inspection and forwarding.
There are two types of interface: physical and logical, where a physical interface is the actual slot on the
device into which a network cable is plugged, and a logical interface is a virtual port assigned to a
specific physical port. Generally, physical ports are referred to as interfaces, while logical ports are
referred to as subinterfaces, virtual interfaces, VLANs, or EtherChannels, depending on their function.
The number and type of interfaces you can define varies with appliance model and type of license
purchased.
Note On devices running version 6.3 of the PIX operating system, the labels “physical” and “logical” are used,
rather than “interface” and “subinterface.” Also, transparent mode and multiple contexts are not
supported on these devices.
Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with
different VLAN IDs. Because VLANs keep traffic separate on a given physical interface, you can
increase the number of interfaces available to your network without adding additional physical interfaces
or security appliances. This feature is particularly useful in multiple-context mode, allowing you to
assign unique interfaces to each context.
As a general rule, interfaces attach to router-based networks, and subinterfaces attach to switch-based
networks. All subinterfaces must be associated with a physical interface that is responsible for routing
allowed traffic correctly.
If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the
physical interface passes untagged packets. The physical interface must be enabled for the subinterface
to pass traffic, but do not name the physical interface to ensure it does not pass traffic. However, if you
do want to let the physical interface pass untagged packets, you can name the interface as usual. See
Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14 for information about
naming an interface.
Note The ASA 5505, combining switch and security appliance features, is a special case in that you configure
both physical switch ports and logical VLAN interfaces. See Understanding ASA 5505 Ports and
Interfaces, page 45-6 for more information.
The Catalyst 6500 services modules (ASA-SMs and FWSMs) do not include any external physical
interfaces—instead, they use internal VLAN interfaces. For example, assume you assign VLAN 201 to
an FWSM inside interface, and VLAN 200 to the outside interface. You assign these VLANs to physical
switch ports, and hosts connect to those ports. When communication occurs between VLANs 201 and
200, the FWSM is the only available path between the VLANs, forcing traffic to be statefully inspected.
See the following sections for additional information about device interfaces: