45-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 45 Managing Firewall Devices
Configuring Firewall Device Interfaces
Note In failover configurations, you must enable Stateful Failover for session information to be passed from
the standby unit or failover group to the active unit or failover group.
To assign an FWSM virtual interface to an asymmetric routing group, simply specify an ASR Group ID
in the Add/Edit Interface Dialog Box: Advanced Tab (ASA/PIX 7.0+), page45-27. If the group does not
exist, it is created and the interface assigned to it.
You must repeat the assignment for each interface that will participate in this ASR group. You can create
up to 32 ASR groups and assign a maximum of eight interfaces to each group.
Note The upstream and downstream routers must use one MAC address per VLAN, and have different MAC
addresses for different VLANs, to allow the redirection of packets from a standby unit to an active unit
in failover configurations.
Understanding ASA 5505 Ports and Interfaces
The ASA 5505 is unique in that it includes a built-in switch, and there are two kinds of ports and
interfaces that you need to configure:
Physical switch ports – The ASA 5505 has eight Fast Ethernet switch ports that forward traffic at
Layer 2, using the switching function in hardware. Two of these ports are power-over-Ethernet (PoE)
ports. You can connect these ports directly to user equipment such as PCs, IP phones, or DSL
modems. Or you can connect to another switch.
Logical VLAN interfaces – In routed mode, these interfaces forward traffic between VLAN
networks at Layer 3, using the configured security policy to apply firewall and VPN services. In
transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer
2, using the configured security policy to apply firewall services.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface.
Switch ports on the same VLAN can communicate with each other using hardware switching. But when
a switch port on one VLAN attempts to communicate with a switch port on another VLAN, the ASA
5505 applies the security policy to the traffic, and routes or bridges between the two VLANs.
Note Subinterfaces and redundant interfaces are not available on the ASA 5505.
Navigation Path
The Interfaces page displayed for ASA 5505 devices presents two tabbed panels: Hardware Port s and
Interfaces. To access these panels, select an ASA 5505 in Device View and then select Interfaces from
the Device Policy selector.
Configuring ASA 5505 Switch Ports and Interfaces
Refer to Configuring Hardware Ports on an ASA 5505, page 45-39 for information about configuring the
switch ports.
Refer to Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM), page 45-19 for information about
configuring the interfaces.
Related Topics
Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14