ASA-5505 VLAN Licensing Question

Unanswered Question
Jan 22nd, 2009
User Badges:

I have a new ASA-5505 Bun-K9 license. Does this allow 3 vlan's unrestricted traffic flow or do I need a Secure License to obtain full functionallity on all 3 vlan's?


Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 01/22/2009 - 19:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


I do not have access to a 5505 right now to check it. But my memory is that the standard license on the 5505 puts some restriction on the use the the third VLAN. To get unrestricted functionality on all 3 VLANs I believe that you need the upgraded license.


HTH


Rick

vbdotnetman Fri, 01/23/2009 - 03:20
User Badges:

Thanks Rick, I did some late reading last night and found that the 5505 can configure all 3 vlans but the DMZ cannot initiate any connection. The initiation must come from either the inside or outside vlan's........


Any idea on how to do port forwarding with this thing?


Best Regards

Richard Burts Sat, 01/24/2009 - 16:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


Your finding is consistent with what I remembered. I recently configured port forwarding on an ASA5505. I configured it basically as:

static (inside,outside) tcp interface

which establishes a static translation (port forwarding) from the port# on the outside interface to port# on the inside interface. The thing that surprised me about this is that it worked when I specified the keyword "interface" but not when I specified the address of the interface.


HTH


Rick

vbdotnetman Sat, 01/24/2009 - 17:08
User Badges:

Rick


That's interesting I'm going to have to do some reading on the interface parameter for the static command. I' let you know what I find?


Regards

vbdotnetman Sat, 01/24/2009 - 18:51
User Badges:

Here's what I found out:


Uses the interface IP address as the mapped address. Use this keyword if you want

to use the interface address, but the address is dynamically assigned using DHCP.


Maybe the address lease had expired?

vbdotnetman Sat, 01/24/2009 - 18:54
User Badges:

I for got to add this note:


Note You must use the interface keyword instead of specifying the actual IP

address when you want to include the IP address of an interface in a static

PAT entry.

Richard Burts Sun, 01/25/2009 - 17:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


This note explains the behavior that I described in my response. If you do port forwarding where some packet is sent to the outside interface on some port number and you want to forward it to some host inside on some port number then you use the static command to set up a static PAT and you need to use the keywork interface instead of specifying the ip address of the interface.


HTH


Rick

Actions

This Discussion