1. Home
  2. Cisco Systems
  3. ASA 5505 with three separate networks

ASA 5505 with three separate networks

We are planning to put hosts on three separate inside networks (10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24), and connect them all to Internet through one firewall. All hosts need access to Internet, but none of the three separate LANs should be able to exchange traffic between each other.

We've got ASA 5505 with Sec Plus license, which we though could handle this. The ASA model comparison on Cisco's web site says the Base license gives you 3 VLANs (not enough for us) but Sec Plus license gives 20 VLANs:

formatting link
ASA's port 0 is set to VLAN1, outside network. Port 1 for VLAN2, first inside network. Port 2 for VLAN3, second inside network. When trying to add port3 as VLAN4, it says: "With the current license device will only support 4 fully functional interfaces. Fourth interface can be added, but a backup interface needed to be set there."

Okay, we can get around that by setting a backup interface, but if we try to strecth this further and add one more interface, ASA says: "With current license maximum number of named interfaces allowed is 4. Name cannot be set for this interface."

And if you don't set a name for the interface, you don't get to set access rules from the ASDM Security Policy configuration.

When looking at the ASA with ASDM, it says: "VLANs: 3, DMZ Unrestricted"

What happened to the support for 20 VLANs?

-- Pawn

Reply to
pawn_daniels
Loading thread data ...

You clearly do NOT have Sec+, but only the Base Lic You need to register your Sec Plus lic and get a activationkey, unless you bought it as a Sec Plus device. In this case contact TAC or your resellar

HTH Martin

Reply to
Martin Bilgrav

Post a "show version". Sounds like you only have the base license.

Reply to
Brian V

Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root System image file is "disk0:/asa721-k8.bin" Config file at boot was "startup-config"

ciscoasa up 2 mins 58 secs

Hardware: ASA5505, 256 MB RAM, CPU Pentium 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot- Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC- Admin-3.03 IPSec microcode : CNlite-MC-IPSECm- MAIN-2.04 0: Int: Internal-Data0/0 : address is 0019.0724.93ac, irq 11 1: Ext: Ethernet0/0 : address is 0019.0724.93a4, irq 255 2: Ext: Ethernet0/1 : address is 0019.0724.93a5, irq 255 3: Ext: Ethernet0/2 : address is 0019.0724.93a6, irq 255 4: Ext: Ethernet0/3 : address is 0019.0724.93a7, irq 255 5: Ext: Ethernet0/4 : address is 0019.0724.93a8, irq 255 6: Ext: Ethernet0/5 : address is 0019.0724.93a9, irq 255 7: Ext: Ethernet0/6 : address is 0019.0724.93aa, irq 255 8: Ext: Ethernet0/7 : address is 0019.0724.93ab, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not licensed : irq 255 11: Int: Not licensed : irq 255

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 1

This platform has an ASA 5505 Security Plus license.

-- Pawn

Reply to
pawn_daniels

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 1

This platform has an ASA 5505 Security Plus license.

-- Pawn

**************

Again - Clearly there is something wrong - contact your resellar or Cisco TAC.

Mine shows:

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : 50 Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8

This platform has an ASA 5505 Security Plus license.

So what you have is Dual ISP and Failover and a Base lic., funny that you have unlimited inside hosts ...

HTH Martin

Reply to
Martin Bilgrav

Try latter version of firmware asa722-k8.bin Cisco Adaptive Security Appliance Software version 7.2(2) software. Read Release Note prior to downloading this release.

Peter

Reply to
Peter Simons

I upgaded the ASA firmware to 7.2(2) and ASDM to 5.2(2), and it did the trick.

Thank you!

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8

This platform has an ASA 5505 Security Plus license.

-- Pawn

Reply to
pawn_daniels

BTW: the docs say that the base lic offers 3 VLANs, the Plus lic ahs a "DMZ". What's special about this DMZ and what's the difference to a 3rd VLAN on the base version?

TIA

fw

Reply to
Frank Winkler

Best guess is that it "does" support 3 interface, but one of them is non-routed. Basically a private DMZ. I got bit in the ass by this a couple weeks back, tried to create a real DMZ on a base 5505, when you type in the "nameif" it tells you that the device is non-licensed for this type of interface. I called the partner helpline and they confirmed my thoughts, said we needed the plus license, but could not provide the documentation that supported that statement.

-Brian

Reply to
Brian V

I see - thanks! So I'd really need the Plus license. Now I have to find the cheapest dealer for that thing.

Regards

fw

Reply to
Frank Winkler

Quoting

formatting link
"With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 5-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.

With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to accomodate multiple VLANs per port."

So it seems to be a routed VLAN, but only in one direction. As long as the DMZ is accessible from outside, that would be ok for me. Did I get it right that the (only) diffs are:

- unlimited users - full DMZ (see above) - more VLANs - trunking on the switch ports - stateless HA

?

If so, I maybe go for the base lic.

Regards

fw

Reply to
Frank Winkler

formatting link

By reading that doc, sure sounds like you could. Wish I'd found that doc a few weeks ago, even partner line couldn't provide it! That sure is one messed up kind of interface. I bet you could do VPN to bypass the home to bussiness example. Gonna have to try that on the next base 5505 we sell.

Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.