ASA 5505 Sec+

Krasnoperov · ‎07-25-2012

Hi, I have an issue, on my Active/Stanby ASA5505 has Sec+ License(trial), I can't create more then 3 nameif interface however,

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited 17 days

Failover : Active/Standby 17 days

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled 17 days

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 14 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Enabled 17 days

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited 17 days

Failover : Active/Standby 34 days

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled 34 days

AnyConnect Premium Peers : 4 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 14 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Enabled 34 days

UC Phone Proxy Sessions : 4 perpetual

Total UC Proxy Sessions : 4 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

please answer me, why?

When I try to create new interface vlan with nameif

ciscoasa(config-if)# nameif outside2

ERROR: Maximum number of interfaces already configured.

ciscoasa# sh int ip brie

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 unassigned YES unset up up

Ethernet0/1 unassigned YES unset up up

Ethernet0/2 unassigned YES unset up up

Ethernet0/3 unassigned YES unset administratively down up

Ethernet0/4 unassigned YES unset administratively down up

Ethernet0/5 unassigned YES unset administratively down down

Ethernet0/6 unassigned YES unset administratively down down

Ethernet0/7 unassigned YES unset administratively down down

Internal-Data0/0 unassigned YES unset up up

Internal-Data0/1 unassigned YES unset up up

Vlan1 10.119.0.1 YES CONFIG up up

Vlan2 95.x.x.53 YES CONFIG up up

Vlan32 172.22.0.29 YES unset up up

Vlan42 80.x.x.188 YES CONFIG down down

Vlan52 unassigned YES CONFIG down down

Vlan53 unassigned YES unset down down

Virtual0 127.0.0.1 YES unset up up

ciscoasa# sh switch vlan

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------

1 inside up Et0/1, Et0/3, Et0/4, Et0/5

Et0/6, Et0/7

2 outside up Et0/2

32 folink up Et0/0

42 outside1 down

52 - down

53 - down

ciscoasa#

gouravbathla · ‎07-25-2012

This is the reason.

Krasnoperov · ‎07-26-2012

but I have a failover cluster consist with two asa, and for them

VLANs : 20 DMZ Unrestricted

in descussion I paste sh ver, form active asa only

nkarthikeyan · ‎07-25-2012

Hi Krasno,

As per your license restriction. you can have one inside and one outside and one failover interface for one ASA & other ASA you can create 20 nameif's if am not wrong. Check for someother trail license to match 20 VLAN's like the other ASA and use it if required.

Please do rate for the helpful posts.

By

Karthik

Krasnoperov · ‎07-26-2012

in descussion I paste sh ver, form active asa only

here from standby

failover cluster up 3 hours 21 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 442b.037a.0cdd, irq 11

1: Ext: Ethernet0/0 : address is 442b.037a.0cd5, irq 255

2: Ext: Ethernet0/1 : address is 442b.037a.0cd6, irq 255

3: Ext: Ethernet0/2 : address is 442b.037a.0cd7, irq 255

4: Ext: Ethernet0/3 : address is 442b.037a.0cd8, irq 255

5: Ext: Ethernet0/4 : address is 442b.037a.0cd9, irq 255

6: Ext: Ethernet0/5 : address is 442b.037a.0cda, irq 255

7: Ext: Ethernet0/6 : address is 442b.037a.0cdb, irq 255

8: Ext: Ethernet0/7 : address is 442b.037a.0cdc, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited 17 days

Failover : Active/Standby 18 days

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled 18 days

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 14 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Enabled 18 days

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited 17 days

Failover : Active/Standby 34 days

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled 34 days

AnyConnect Premium Peers : 4 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 14 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Enabled 34 days

UC Phone Proxy Sessions : 4 perpetual

Total UC Proxy Sessions : 4 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Ramraj Sivagnanam Sivajanam · ‎07-26-2012

Hi Bro

Something is not right with your outputs. If your Cisco ASA 5505 has Security Plus license, you should have 20 VLANS enabled, and NOT 3. Where did you get these trial licenses from? This is because, Cisco doesn't give trial licenses for Security Plus license.

The basic license allows only 3 active VLANs which you can use as Inside, Outside and DMZ. However, there is a restriction here that many people do not know about: The DMZ VLAN can access ONLY the Outside VLAN but can not access the Inside VLAN. The other two VLANs (Inside and Outside) can access all the other VLANs with no problems.

-->>> VLANs : 3 DMZ Unrestricted

The Security Plus license, removes all limitations and allows up to 20 active VLANs to be configured. Since there are only 8 physical ports, you can create several vlan subinterfaces on each physical port to segment your network into different security zones (e.g Inside, Outside, DMZ1, DMZ2, Sales, Engineering etc).

-->>> VLANs : 20 DMZ Unrestricted

The ASA5505 can only perform Active/Standby failover and not Active/Active. In fact, ASA5505 don’t support Stateful Failover (meaning all active connections will be lost after a failover event).

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam