InterfacesInterface Config

ip address [ip] [mask]

Assigns an IP address and subnet mask to an interface on a Cisco ASA firewall.

Overview

The 'ip address' command on Cisco ASA Firewall is used to assign an IPv4 address and subnet mask to a physical or logical interface. This command is fundamental for network connectivity, as it defines the Layer 3 identity of the interface. The ASA operates as a security appliance, and each interface must be configured with an IP address to participate in routing and to apply security policies. The command syntax includes an optional 'standby' parameter for failover configurations, where a secondary IP address is assigned to the standby unit in an active/standby failover pair. This ensures seamless IP address takeover during failover events. The command is executed in interface configuration mode, which is entered via the 'interface' command. It is important to note that the ASA does not support secondary IP addresses (like Cisco IOS does); instead, it uses the 'standby' keyword for failover. The 'ip address' command is typically used during initial setup or when re-addressing interfaces. In troubleshooting workflows, verifying the IP address is a first step in diagnosing connectivity issues. The command itself does not produce output; verification is done via 'show interface' or 'show ip address'. Understanding this command is crucial for CCNP Security candidates, as it appears in scenarios involving interface configuration, routing, and high availability.

Syntax·Interface Config
ip address ip_address netmask [standby ip_address]

When to Use This Command

  • Configuring the inside interface with a private IP address for internal network connectivity.
  • Assigning a public IP address to the outside interface for internet access.
  • Setting up a secondary IP address for failover using the standby option.
  • Configuring a management interface with a dedicated IP for out-of-band management.

Parameters

ParameterSyntaxDescription
ip_addressA.B.C.DThe IPv4 address to assign to the interface. Must be a valid unicast address not already in use on the network.
netmaskA.B.C.DThe subnet mask for the IP address, typically in dotted decimal format (e.g., 255.255.255.0). Defines the network portion of the address.
standby ip_addressstandby A.B.C.DOptional. Specifies the standby IP address used in active/standby failover. This IP is taken over by the standby unit when it becomes active.

Command Examples

Assign IP to Inside Interface

ip address 192.168.1.1 255.255.255.0

Assigns IP 192.168.1.1/24 to the interface. No output is shown if successful.

Assign IP with Standby for Failover

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2

Assigns primary IP 10.0.0.1/24 and standby IP 10.0.0.2 for failover. No output if successful.

Understanding the Output

The 'ip address' command does not produce output upon successful configuration. To verify the assigned IP address, use 'show interface' or 'show ip address' commands. In 'show interface' output, look for the line 'IP address 192.168.1.1, subnet mask 255.255.255.0'. A healthy interface will show the correct IP and mask, and the line protocol should be up. If the IP is missing or incorrect, the interface may not function properly. In failover configurations, the standby IP appears in the output of 'show ip address' or 'show running-config interface'.

Configuration Scenarios

Basic Inside Interface Configuration

Configuring the inside interface for a private network 192.168.1.0/24.

Topology

[Inside Network] --- [ASA Inside Interface] --- [ASA]

Steps

  1. 1.Enter global configuration mode.
  2. 2.Enter interface configuration mode for the inside interface (e.g., interface gigabitethernet0/1).
  3. 3.Assign a nameif (e.g., nameif inside).
  4. 4.Assign the IP address using the ip address command.
  5. 5.Activate the interface with 'no shutdown'.
Configuration
! 
interface gigabitethernet0/1
 nameif inside
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!

Verify: Use 'show interface gigabitethernet0/1' to verify the IP address and interface status.

Watch out: Ensure the interface has a nameif configured before assigning an IP; otherwise, the command may be rejected.

Failover IP Configuration

Configuring the outside interface with failover IPs for high availability.

Topology

[Internet] --- [ASA Primary] --- [ASA Standby]

Steps

  1. 1.Configure failover on both units.
  2. 2.Enter interface configuration mode for the outside interface.
  3. 3.Assign the primary IP and standby IP using the ip address command with the standby keyword.
  4. 4.Ensure the standby IP is on the same subnet and not used elsewhere.
Configuration
! 
interface gigabitethernet0/0
 nameif outside
 ip address 203.0.113.1 255.255.255.0 standby 203.0.113.2
 no shutdown
!

Verify: On the active unit, 'show ip address' displays the primary IP; on the standby, it shows the standby IP.

Watch out: The standby IP must be different from the primary IP and must be on the same subnet. Also, failover must be enabled globally.

Troubleshooting with This Command

When troubleshooting IP address issues on a Cisco ASA, the 'ip address' command itself is not used for troubleshooting; instead, verification commands are used. Start with 'show interface' to confirm the IP address and subnet mask are correctly applied. Look for the line 'IP address x.x.x.x, subnet mask y.y.y.y'. If the IP is missing or incorrect, re-enter the command. Check that the interface is not administratively down ('show interface' shows 'administratively down' if shutdown). Use 'ping' from the ASA to test connectivity to the gateway or other hosts. If the ping fails, verify the IP address and mask, and ensure there are no ACLs blocking traffic. For failover issues, use 'show ip address' to see both primary and standby IPs. If the standby IP is not showing, the failover configuration may be incomplete. Also, check that the interface is part of the same security zone or has proper routing. In multi-context mode, ensure you are in the correct context. Common issues include duplicate IP addresses, incorrect subnet masks, or mismatched VLAN assignments. Use 'show running-config interface' to view the current configuration. If the IP address is correct but connectivity fails, check the default gateway and routing table with 'show route'. Remember that ASA interfaces are Layer 3 by default; if bridging is needed, use a transparent firewall mode.

CCNA Exam Tips

1.

Remember that the 'standby' keyword is used for failover IP assignment, not for HSRP.

2.

On ASA, the 'ip address' command is entered in interface configuration mode, not global config.

3.

Be aware that changing the IP address on an active interface may disrupt connectivity; plan maintenance windows.

Common Mistakes

Forgetting to enter interface configuration mode before using the command.

Using the wrong subnet mask, leading to routing issues.

Omitting the 'standby' keyword when configuring failover, causing failover to fail.

Platform Notes

On Cisco ASA, the 'ip address' command differs from Cisco IOS in several ways. ASA does not support secondary IP addresses; instead, it uses the 'standby' keyword for failover. In IOS, you can add multiple IP addresses using 'ip address' with the 'secondary' keyword. ASA also requires a 'nameif' to be configured before assigning an IP address, whereas IOS does not. The ASA command is entered in interface configuration mode, similar to IOS. For transparent firewall mode, interfaces are not assigned IP addresses; instead, the management IP is set globally. In ASA version 9.x and later, the command syntax remains the same. Equivalent commands on other platforms: on Juniper SRX, use 'set interfaces ge-0/0/0 unit 0 family inet address x.x.x.x/24'; on Palo Alto, use 'set network interface ethernet1/1 ip x.x.x.x/24'. The ASA also supports IPv6 with the 'ipv6 address' command. For management interfaces, the 'management-only' command may be used in conjunction. Understanding these differences is important for multi-vendor environments and certification exams.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions