cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1607
Views
5
Helpful
4
Replies

ASA 5505 license woes

joe.favia
Level 1
Level 1

Hi,

I'm trying to activate the DMZ interface on a restricted license ASA 5505 but I get an error when I try to ADD the interface. The message says "With the current license device will only supports 2 fully functional interfaces. Third interface can be added,but the traffic from this interface to another interface need to be blocked. Please make appropriate selection in advanced tab." I gather that I have to define the limitation myself? The problem is that I can't access the advanced tab because of the error. Can I do something via CLI to get through? I'm using ASA 8.2 and ASDM 6.2.

Thanks, Joe

1 Accepted Solution

Accepted Solutions

from the CLI, on the vlan interface config of the dmz interface you need to add the following config:

interface Vlan3

no forward interface vlan X

...where X is the vlan number where your DMZ will *NOT* be talking to.

View solution in original post

4 Replies 4

netsec
Level 1
Level 1

if you need more that 2 interface, you should go to Sec-plus license.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1056883

Cheers

from the CLI, on the vlan interface config of the dmz interface you need to add the following config:

interface Vlan3

no forward interface vlan X

...where X is the vlan number where your DMZ will *NOT* be talking to.

Yeah, I know. I'm trying to save the 450 euros...

Anyway, it's not totally true : the 5505 can use a DMZ but with restricted access. I don't know how to activate the third interface via ASDM, but then I got it up via the following CLI command I found in a forum on the Internet :

interface vlan3

no forward interface vlan1

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

Automagically, when I accessed the ASDM, I found a new column in the Interfaces tab named "restrict traffic flow" (at least I believe it wasn't there before!). I can't send traffic from the DMZ to the internal network, but it's not essential for me. I'm happy now.

Cheers, Joe

Thanks Joe. It helped me !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: