nameif [name]
Assigns a name to an interface for identification and security policy referencing.
Overview
The 'nameif' command is fundamental to Cisco ASA interface configuration. It assigns a logical name to a physical or subinterface, enabling the ASA to reference that interface in security policies, NAT rules, and routing. The name becomes the identifier for the interface throughout the configuration. Without a nameif, an interface cannot be used for traffic forwarding. The command also sets a default security level: the first interface named gets level 0, the second gets level 100, and subsequent ones get 0. Security levels control traffic flow between interfaces (higher to lower by default). This command is typically the first step after entering interface configuration mode. It is used in initial setup, when adding new interfaces, or when re-purposing an interface. In troubleshooting, verifying nameif assignments helps ensure interfaces are correctly identified and security levels are appropriate.
nameif nameWhen to Use This Command
- Assigning a name to a physical interface for traffic classification.
- Naming a VLAN interface to match a specific security zone.
- Renaming an interface to reflect its role (e.g., INSIDE, OUTSIDE).
- Configuring a management-only interface with a logical name.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| name | name | A case-insensitive alphanumeric string (up to 48 characters) that uniquely identifies the interface. Common names include 'inside', 'outside', 'dmz', 'management'. The name cannot contain spaces or special characters. |
Command Examples
Assigning name to GigabitEthernet0/0
interface gigabitethernet0/0
nameif outsideINFO: Security level for "outside" set to 0 by default.
The interface is named 'outside' and automatically assigned security level 0.
Assigning name to a subinterface
interface gigabitethernet0/1.100
nameif dmzINFO: Security level for "dmz" set to 0 by default.
Subinterface is named 'dmz' with default security level 0.
Understanding the Output
The 'nameif' command itself does not produce a table output; it only returns an informational message. The message indicates the name assigned and the default security level (0 for outside, 100 for inside if not specified). To verify, use 'show nameif' which lists all interfaces with their names, security levels, and IP addresses. A healthy configuration shows each interface with a meaningful name and appropriate security level. Problematic values include duplicate names (not allowed) or missing names on interfaces that should be named.
Configuration Scenarios
Basic Inside/Outside Setup
A typical home office ASA with two interfaces: one for internal LAN, one for internet.
Topology
[Internet] --- (G0/0) ASA (G0/1) --- [Internal LAN]Steps
- 1.Enter global configuration mode.
- 2.Enter interface configuration for G0/0.
- 3.Assign nameif outside.
- 4.Enter interface configuration for G0/1.
- 5.Assign nameif inside.
interface gigabitethernet0/0 nameif outside security-level 0 ip address dhcp ! interface gigabitethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !
Verify: Use 'show nameif' to confirm names and security levels.
Watch out: If you name the inside interface first, it gets security level 0, which is not desired. Always name outside first or manually set security-level.
Troubleshooting with This Command
When troubleshooting connectivity issues, the first step is to verify that all interfaces have proper nameif assignments. Use 'show nameif' to list all named interfaces. If an interface is missing, traffic cannot pass through it. Also check that security levels are correct: traffic from higher to lower security is allowed by default, but not the reverse. If you see unexpected traffic drops, verify that the nameif matches the intended security zone. Another common issue is duplicate names – the ASA will reject the configuration. If you need to rename an interface, you must first remove all configuration referencing the old name (e.g., IP address, ACLs). Use 'clear configure interface' to reset an interface completely. In multi-context mode, nameif is configured per context.
CCNA Exam Tips
Remember that 'nameif' is required before assigning an IP address to an interface.
Security levels are automatically set: 0 for first nameif, 100 for second, unless manually changed.
On ASA, you cannot delete a nameif without removing all associated configuration (e.g., IP address, ACLs).
Common Mistakes
Forgetting to assign a nameif before configuring an IP address – results in error.
Using the same name on multiple interfaces – ASA rejects duplicate names.
Not setting security level explicitly when needed – default may not match security policy.
Platform Notes
On Cisco ASA, the 'nameif' command is mandatory before assigning an IP address. This differs from Cisco IOS where interfaces are named by default (e.g., FastEthernet0/0). On ASA, you must explicitly name each interface. The command is similar on Cisco FTD (Firepower Threat Defense) but configured via FMC or CLI. In ASA version 9.x and later, the behavior is consistent. There is no direct equivalent on IOS routers; instead, you use 'ip address' on the interface directly. The 'nameif' command is unique to ASA and FTD platforms.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions