ASA-5505 VLAN Licensing Question

Unanswered Question
Jan 22nd, 2009

I have a new ASA-5505 Bun-K9 license. Does this allow 3 vlan's unrestricted traffic flow or do I need a Secure License to obtain full functionallity on all 3 vlan's?

Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 01/22/2009 - 19:35

Jose

I do not have access to a 5505 right now to check it. But my memory is that the standard license on the 5505 puts some restriction on the use the the third VLAN. To get unrestricted functionality on all 3 VLANs I believe that you need the upgraded license.

HTH

Rick

vbdotnetman Fri, 01/23/2009 - 03:20

Thanks Rick, I did some late reading last night and found that the 5505 can configure all 3 vlans but the DMZ cannot initiate any connection. The initiation must come from either the inside or outside vlan's........

Any idea on how to do port forwarding with this thing?

Best Regards

Richard Burts Sat, 01/24/2009 - 16:40

Jose

Your finding is consistent with what I remembered. I recently configured port forwarding on an ASA5505. I configured it basically as:

static (inside,outside) tcp interface

which establishes a static translation (port forwarding) from the port# on the outside interface to port# on the inside interface. The thing that surprised me about this is that it worked when I specified the keyword "interface" but not when I specified the address of the interface.

HTH

Rick

vbdotnetman Sat, 01/24/2009 - 17:08

Rick

That's interesting I'm going to have to do some reading on the interface parameter for the static command. I' let you know what I find?

Regards

vbdotnetman Sat, 01/24/2009 - 18:51

Here's what I found out:

Uses the interface IP address as the mapped address. Use this keyword if you want

to use the interface address, but the address is dynamically assigned using DHCP.

Maybe the address lease had expired?

vbdotnetman Sat, 01/24/2009 - 18:54

I for got to add this note:

Note You must use the interface keyword instead of specifying the actual IP

address when you want to include the IP address of an interface in a static

PAT entry.

Richard Burts Sun, 01/25/2009 - 17:39

Jose

This note explains the behavior that I described in my response. If you do port forwarding where some packet is sent to the outside interface on some port number and you want to forward it to some host inside on some port number then you use the static command to set up a static PAT and you need to use the keywork interface instead of specifying the ip address of the interface.

HTH

Rick

Actions

This Discussion