- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2010 11:43 AM - edited 03-11-2019 11:49 AM
for the purpose of a redundency, incase the primary ISP goes down the backup kicks in.
Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans)
Currently not using the 3rd vlan (dmz)
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2010 03:29 PM
You would need the security plus license.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2010 03:51 PM
With the base license you do get 3 zone (2 regular zones and 1 restricted zone). But with the restricted zone you can only talk to one vlan either inside or outside. For redundancy to work when one ISP goes down you would want the 3-rd zone to talk to the inside and outside.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1330679
With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1934395
So, you need security plus license so, you will not have this restriction.
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2010 03:29 PM
You would need the security plus license.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2010 03:51 PM
With the base license you do get 3 zone (2 regular zones and 1 restricted zone). But with the restricted zone you can only talk to one vlan either inside or outside. For redundancy to work when one ISP goes down you would want the 3-rd zone to talk to the inside and outside.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1330679
With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1934395
So, you need security plus license so, you will not have this restriction.
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2010 12:28 PM
I had a feeling you needed the security plus,
Thanks for confirming
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2013 12:01 PM
Can you explain me some in this case.
You said "But with the restricted zone you can only talk to one vlan either inside or outside"
Does this mean that restricted zone can only talk with one other zone?
For example, why we can't do so with ASA base license:
create VLAN 1 for INSIDE
create VLAN 2 for main ISP
create VLAN 3 ( restricted, this VLAN can communicate only with one other, right?) for backup ISP and it will communicate only with VLAN 1 INSIDE.
VLAN 3 (backup ISP) should not communicate with main ISP vlan.
What's wrong with my thinking?
Thanks in advance for your reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2012 10:52 AM
It makes sence that you don't need a set plus license to have ISP failover as your outside traffic would never forward traffic to the failover ISP.
