45-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter45 Managing Firewall Devices
Configuring Firewall Device Interfaces
Bridge Groups
Beginning with the ASA 8.4.1 and FWSM 3.1, in transparent mode, you can increase the number of
interfaces available to a device or context through use of bridge groups. You can configure up to eight
bridge groups; on an FWSM each group can contain two interfaces; on an ASA each group can contain
four interfaces. See Add/Edit Bridge Group Dialog Box, page 45-41 for more information.
Related Topics
Chapter 46, “Configuring Bridging Policies on Firewall Devices”
Interfaces in Single and Multiple Contexts
Security “contexts” allow a single physical device to operate as multiple, independent firewalls. In
multiple-context mode, each context defines a single virtual firewall, complete with its own
configuration. Each context acts as a unique virtual firewall that inspects and filters traffic traversing the
interfaces allocated to that context. Each context is “unaware” of other contexts defined on the same
security appliance.
As with a single-context, routed-mode device, interfaces on a multiple-context device connect to
router-based networks, subinterfaces connect to switch-based networks, and each subinterface must be
associated with an interface that routes allowed traffic correctly.
However, you cannot define IP addresses, the routed-mode portion of the configuration, or identify the
management interface until you have defined and deployed the contexts. But you cannot define a security
context until you have defined the necessary interfaces and subinterfaces.
In other words, you must enable and configure the interfaces and subinterfaces on a device that will
provide multiple security contexts (in either routed or transparent mode) before you can define and
configure the security contexts themselves.
Refer to Chapter 57, “Configuring Security Contexts on Firewall Devices” for more information.
About Asymmetric Routing Groups
In some situations, return traffic for a session may be routed through a different interface than the one
from which it originated. Similarly, in failover configurations, return traffic for a connection that
originated on one unit may return through the peer unit. This most commonly occurs when two interfaces
on a single FWSM, or two FWSMs in a failover pair, are connected to different service providers and
the outbound connection does not use a NAT address. By default, the FWSM drops the return traffic
because there is no connection information for that traffic.
You can prevent return traffic being dropped by assigning the VLAN interfaces on which this is likely
to occur to an asymmetric routing (ASR) group. When a member interface receives a packet for which
it has no session information, it checks the session information for other interfaces that are members of
the same group.
If a match is not found, the packet is dropped. If a match is found, one of the following actions occurs:
If the incoming traffic originated on a different interface on the same FWSM, some or all of the
Layer 2 header is rewritten and the packet is re-injected into the stream.
If the incoming traffic originated on a peer unit in a failover configuration, some or all of the Layer
2 header is rewritten and the packet is redirected to the other unit. This redirection continues as long
as the session is active.