16-2
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter16 Completing Interface Configuration (Transparent Mode, 8. 3 and Earlier)
Information About Completing Interface Configuration in Transparent Mode (8.3 and Earlier)
Information About the Global Management IP Address
A transparent firewall does not participate in IP routing. The only IP configuration required for the ASA
is to set the management IP address. This address is required because the ASA uses this address as the
source address for traffic originating on the ASA, such as system messages or communications with
AAA servers. You can also use this address for remote management access.
For IPv4 traffic, the management IP address is required to pass any traffic. For IPv6 traffic, you must, at
a minimum, configure the link-local addresses to pass traffic, but a global management address is
recommended for full functionality, including remote management and other management operations.
Note In addition to the management IP address for the device, you can configure an IP address for the
Management interface. This IP address can be on a separate subnet from the main management IP
address.
Although you do not configure IPv4 or global IPv6 addresses for other interfaces, you still need to
configure the security level and interface name according to the “Configuring General Interface
Parameters” section on page16-10.
Security Levels
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Same Security Level Communication”
section on page 16-17 for more information.
The level controls the following behavior:
Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Same Security Level
Communication” section on page16-17), there is an implicit permit for interfaces to access other
interfaces on the same security level or lower.
Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engine—Applied only for outbound connections.
SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
ASA.
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
If you enable communication for same security interfaces, you can filter traffic in either direction.
established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.