45-43
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter45 Managing Firewall Devices
Configuring Firewall Device Interfaces
ASA generates a default prefix. This prefix is converted to a 4-digit hexadecimal number. The prefix
ensures that each ASA uses unique MAC addresses (using different prefix values), so you can have
multiple ASAs on a network segment, for example.
Traffic between interfaces with same security levels – This parameter controls communication
between interfaces and subinterfaces on the same security level. If you enable same security
interface communication, you can still configure interfaces at different security levels as usual.
Refer to Enabling Traffic between Interfaces with the Same Security Level, page45-43 for more
information.
PPPoE Users button – Click this button to open the PPPoE Users dialog box, where you can add,
edit and delete PPPoE users, as described in Managing the PPPoE Users List, page 45-44. This
option is available only for ASA and PIX 7.0+ devices.
VPDN Groups (PIX and ASA 7.2+) – This table lists currently defined VPDN Groups. The buttons
below the table are used to add, edit and delete VPDN group entries, as described in Managing
VPDN Groups, page 45-45.
LACP System Priority (ASA 8.4.1+) – All systems participating in EtherChannel link aggregation
require a Link Aggregation Control Protocol (LACP) System Priority. The value can be 1 to 65535,
with the higher number signifying lower priority. The default is 32768.
This value is combined with the system MAC address to form the system’s LACP identifier, and thus
is applicable only for EtherChannel interfaces. See Configuring EtherChannels, page 45-8, for more
information.
Note Additional LACP parameters are available in the Edit Interface dialog box for individual
interfaces assigned to an EtherChannel; see Editing LACP Parameters for an Interface
Assigned to an EtherChannel, page 45-11, for more information.
Navigation Path
You can open the Advanced Interface Settings dialog box by clicking the Advanced button at the bottom
of the Interfaces page (for non-5505 ASAs, PIX 7.0+ devices, and FWSMs), or at the bottom of the
Interfaces tab on the ASA 5505 Ports and Interfaces page.
Related Topics
Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14
Enabling Traffic between Interfaces with the Same Security Level
The Advanced Interface Settings (PIX/ASA/FWSM), page 45-42 dialog box presented for a
single-context security device includes the “Traffic between interfaces with the same security level”
drop-down list, as described in this section.
By default, interfaces or subinterfaces on the same security level cannot communicate with each other.
Allowing communication between same-security interfaces provides the following benefits:
You can configure more than 101 communicating interfaces.
If you use different levels for each interface and do not assign any interfaces to the same security
level, you can configure only one interface per level (0 to 100).
You can allow traffic to flow freely between all same-security interfaces without access lists.
Note If you enable NAT control, you do not need to configure NAT between same-security-level interfaces.