Solved: ASA 5505 Unable to assign ip to DMZ vlan interface

mahesh18 · ‎10-27-2012

hi all,

I have ASA 5505 with base license.

I created 3rd vlan on it.it was created.

but i am unable to assign IP to it.

i assign ip address it takes it.

But when i do sh int ip brief it does not show any ip.

ciscoasa# sh int ip brief

Interface IP-Address OK? Method Status Prot

ocol

Ethernet0/0 unassigned YES unset up up

Ethernet0/1 unassigned YES unset up up

Ethernet0/2 unassigned YES unset up up

Ethernet0/3 unassigned YES unset administratively down down

Ethernet0/4 unassigned YES unset administratively down down

Ethernet0/5 unassigned YES unset administratively down down

Ethernet0/6 unassigned YES unset administratively down down

Ethernet0/7 unassigned YES unset administratively down down

Internal-Data0/0 unassigned YES unset up up

Internal-Data0/1 unassigned YES unset up up

Vlan1 192.168.1.1 YES CONFIG up up

Vlan2 192.168.11.2 YES CONFIG up up

Vlan3 unassigned YES manual up up*************************************************************

Virtual0 127.0.0.1 YES unset up up

ciscoasa# config t

ciscoasa(config)# int vlan 3

ciscoasa(config-if)# ip ad

ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0

ciscoasa(config-if)# end

ciscoasa# wr mem

Building configuration...

Cryptochecksum: 808baaba ced2a226 07cfb41f 9f6ec4f8

4608 bytes copied in 1.630 secs (4608 bytes/sec)

[OK]

ciscoasa# sh int ip brief

Interface IP-Address OK? Method Status Prot

ocol

Ethernet0/0 unassigned YES unset up up

Ethernet0/1 unassigned YES unset up up

Ethernet0/2 unassigned YES unset up up

Ethernet0/3 unassigned YES unset administratively down down

Ethernet0/4 unassigned YES unset administratively down down

Ethernet0/5 unassigned YES unset administratively down down

Ethernet0/6 unassigned YES unset administratively down down

Ethernet0/7 unassigned YES unset administratively down down

Internal-Data0/0 unassigned YES unset up up

Internal-Data0/1 unassigned YES unset up up

Vlan1 192.168.1.1 YES CONFIG up up

Vlan2 192.168.11.2 YES CONFIG up up

Vlan3 unassigned YES manual up up

Virtual0 127.0.0.1 YES unset up up

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(9)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 3 days 17 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is 001d.a24d.ed0e, irq 11

1: Ext: Ethernet0/0 : address is 001d.a24d.ed06, irq 255

2: Ext: Ethernet0/1 : address is 001d.a24d.ed07, irq 255

3: Ext: Ethernet0/2 : address is 001d.a24d.ed08, irq 255

4: Ext: Ethernet0/3 : address is 001d.a24d.ed09, irq 255

5: Ext: Ethernet0/4 : address is 001d.a24d.ed0a, irq 255

6: Ext: Ethernet0/5 : address is 001d.a24d.ed0b, irq 255

7: Ext: Ethernet0/6 : address is 001d.a24d.ed0c, irq 255

8: Ext: Ethernet0/7 : address is 001d.a24d.ed0d, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 10

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

<--- More --->

Need to know does this License support IP to 3rd vlan ?

Thanks

Mahesh

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

Do you have already assigned a name-if ?

Have you assigned already a security level?

Base license restriction is regarding the third vlan just being able to innitiate traffic to one other vlan,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

That is because you are missing the nameif command, until you assing a nameif command the interface configuration will be complete so it will appear on the show interface ip brief,

As soon as you add nameif xxxxxxx then it will appear

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

Correct, that is the restriction I was talking about before

Do the following

interface vlan 3

no forward vlan 1

With the base license you will be able to innitiate traffic from this DMZ to vlan 1 or 2 so choose one of them and use it on the previous command,

Regards,

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

Do you have already assigned a name-if ?

Have you assigned already a security level?

Base license restriction is regarding the third vlan just being able to innitiate traffic to one other vlan,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-27-2012

Hi Julio,

when i do sh run int vlan 3

it shows

no nameif

security level 50

ip address 192.168.12.2 255.255.255.0

but when i do sh int ip brief it does not show ip to vlan3 ?

can you please tell why is this

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

That is because you are missing the nameif command, until you assing a nameif command the interface configuration will be complete so it will appear on the show interface ip brief,

As soon as you add nameif xxxxxxx then it will appear

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-27-2012

Hi Julio,

I tried to config namef if but here is result

ciscoasa# sh run int vlan 3

!

interface Vlan3

description DMZ to 3550 New Switch

no nameif

security-level 50

ip address 192.168.12.2 255.255.255.0

ciscoasa# config t

ciscoasa(config)# int vlan 3

ciscoasa(config-if)# name

ciscoasa(config-if)# namei

ciscoasa(config-if)# nameif DMZ

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

Correct, that is the restriction I was talking about before

Do the following

interface vlan 3

no forward vlan 1

With the base license you will be able to innitiate traffic from this DMZ to vlan 1 or 2 so choose one of them and use it on the previous command,

Regards,

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-27-2012

Hi Julio,

It worked like charm.

Regards

Mahesh

Julio Carvajal · ‎10-27-2012

Hello Mahesh,

Great that I could help

Any other question.. You know where to find us..

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC