Primera subescala: Influencia de la meteorología en el ámbito

a. Define a physical interface: FWSM —

PIX 6.3 Firewall(config)# interface hardware-id [hardware-speed]

[shutdown]

ASA Firewall(config)# interface hardware-id

Firewall(config-if)# speed {auto | 10 | 100 | nonegotiate} Firewall(config-if)# duplex {auto | full | half}

Firewall(config-if)# [no] shutdown

The interface is referenced by its hardware-id. For example, this could be gb- ethernet1 in PIX 6.3 or GigabitEthernet1 on an ASA.

In PIX 6.3, the interface medium's speed and duplex mode are given by one of the following hardware-speed values:

1000full Gigabit Ethernet autonegotiation, advertising full duplex 1000full nonegotiate Gigabit Ethernet full duplex with no autonegotiation 1000auto Gigabit Ethernet autonegotiation

100full 100-Mbps full duplex

auto Intel 10/100 autonegotiation 100basetx 100-Mbps half duplex

10full 10-Mbps full duplex 10baset 10-Mbps half duplex

bnc 10-Mbps half duplex with BNC aui 10-Mbps half duplex with AUI

Beginning with ASA 7.0, the interface speed and duplex are configured with separate interface configuration commands. By default, an interface uses autodetected speed and autonegotiated duplex mode.

Tip

By default, interfaces are administratively shut down. To enable an interface in PIX 6.3, use the interface configuration command without the shutdown keyword. For PIX 7.3, use the no shutdown interface configuration command.

To disable or administratively shut down an interface, add the shutdown keyword.

b. (Optional) Define a logical VLAN interface:

FWSM Firewall(config)# interface vlan vlan_id PIX

6.3

Firewall(config)# interface hardware_id vlan_id logical

ASA Code View: Scroll / Show All Firewall(config)# interface

hardware_id[.subinterface]Firewall(config-subif)# vlan vlan_id

Logical VLAN interfaces must be carried over a physical trunk interface, identified as hardware_id (gb-ethernet0 or GigabitEthernet0, for example). In PIX 6.3, the VLAN interface itself is identified by vlan_id, a name of the form vlanN (where N is the VLAN number, 1 to 4095). The logical keyword makes the VLAN interface a logical one.

On an ASA, a subinterface number is added to the physical interface name to create the logical interface. This is an arbitrary number that must be unique for each logical interface. The VLAN number is specified as vlan_id in a separate vlan subinterface configuration command.

Packets being sent out a logical VLAN interface are tagged with the VLAN number as they enter the physical trunk link. The VLAN number tag is stripped off at the far end of the trunk, and the packets are placed on the corresponding VLAN. The same process occurs when packets are sent toward the firewall on a VLAN.

The trunk encapsulation used is always IEEE 802.1Q, and the tagging encapsulation and unencapsulation are automatically handled at each end of the trunk. Make sure the far-end switch is configured to trunk unconditionally. For example, the following Catalyst IOS switch configuration commands could be used:

Switch(config)# interface gigabitethernet 0/1 Switch(config-if)# switchport

Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk

By default, any packets that are sent out the firewall's physical interface itself are not tagged, and they appear to use the trunk's native VLAN. These packets are placed on the native VLAN number of the far-end switch port.

If you intend to use logical VLAN interfaces on a physical firewall interface that is trunking, you should never allow the trunk's native VLAN to be used. You can do this by configuring a VLAN number on the physical interface, too. After this is done, the firewall cannot send packets across the trunk untagged.

By default, Cisco switches use VLAN 1 as the native (untagged) VLAN on all trunk links. Be aware that the native VLAN can be set to any arbitrary VLAN number on a switch. Find out what native VLAN is being used, and choose a different VLAN number on the firewall's physical interface.

Also make sure that the switch is using something other than the native VLAN to send packets to and from the firewall. The idea is to use only VLANs that are defined specifically to pass data to and from the firewall while eliminating the possibility that an unexpected VLAN appears on the trunk. For example, you could use the

following commands on a Catalyst switch to set a trunk's native VLAN to VLAN 7 and to allow only VLANs 100 through 105 to pass over the trunk to the firewall: SwitchIconfig)# interface gigabitethernet 1/1

Switch(config-if)# switchport

Switch(config-if)# switchport trunk native vlan 7

Switch(config-if)# switchport trunk allowed vlan 100-105 Switch(config-if)# switchport mode trunk

You can use the following configuration command to force the firewall to tag packets on the physical firewall trunk interface, too:

FWSM —

physical

ASA —

Again, the VLAN is identified by vlan_id, a name of the form vlanN (where N is the VLAN number, 1 to 4095). The physical keyword makes the logical VLAN interface overlay with the physical interface so that any packets passing over the interface receive a VLAN ID tag.

After a VLAN has been assigned to the physical interface, the firewall drops any untagged packets that are received over the trunk interface's native VLAN.

This step is unnecessary beginning with an ASA, because the physical interface is configured with the no nameif command by default, which forces all traffic to pass through one or more subinterfaces that are configured with a VLAN number, requiring a VLAN tag.

Tip

After a VLAN number has been assigned to a logical interface, it is possible to change the VLAN number. You can use this PIX 6.3 configuration command to change from the old VLAN name to a new one:

Firewall(config)# interface hardware_id change-vlan old-vlan-id new-vlan-id

2. (Optional) Name the interface:

FWSM Firewall(config)# nameif vlan-id if_name securitylevel PIX

6.3

Firewall(config)# nameif {hardware-id | vlan-id} if_name securitylevel

ASA Firewall(config)# interface hardware_id[.subinterface] Firewall(config-if)# nameif if_name

Firewall(config-if)# security-level level

Here, the physical interface is identified by its hardware-id (gb-ethernet0, for example) or vlan-id (vlan5, for example; the word vlan is always present). If multiple-security context mode is being used, the vlan-id or hardware-id could be an arbitrary name that has been mapped to the context by the allocate-interface command in the system execution space. The interface is given the arbitrary name if_name (1 to 48 characters) that other firewall commands can use to refer to it. By default, the "inside" and "outside" names are predefined to two interfaces. You can change those assignments, and you can use entirely different

names if you want.

A security level is also assigned to the interface as securitylevel (where level is a number 0 to 100, from lowest to highest). PIX 7.3 is the exception, where the security level is given with the keyword security-level, followed by the level number (0 to 100). Security levels 0 and 100 are reserved for the "outside" and "inside" interfaces, respectively. Other perimeter interfaces should have levels between 1 and 99.

For example, the outside interface could be configured as follows: FWSM Firewall(config)# nameif vlan10 outside security0 PIX 6.3 Firewall(config)#nameif gb-ethernet0 outside security0 ASA Firewall(config)# interface gigabitethernet0

Firewall(config-if)# nameif outside Firewall(config-if)# security-level 0

Note

Security levels are used only to determine how the firewall inspects and handles traffic. For example, traffic passing from a higher-security interface toward a lower one is assumed to be going toward a less-secure area. Therefore, it is forwarded with less-stringent policies than traffic coming in toward a higher-security area.

In addition, firewall interfaces must have different security levels. The only exceptions are with ASA and FWSM 2.2+, which allow interfaces to have the same security level only if the same-security-traffic permit inter-interface global configuration command has been used. In that case, traffic is forwarded according to policies set by access lists, with no regard to higher or lower security levels.