How to configure a second subnet on Cisco ASA 5505

Posted on 2010-01-05
Last Modified: 2012-05-08
I've tried to setup a second subnet in my office on the Cisco ASA 5505 by configuring Eth 0/6 and vlan3 as follows:

interface Vlan3
 no nameif
 security-level 100
 ip address

interface Ethernet0/6
 switchport access vlan 3

As I'd like to have both subnets be able to talk to each other I did this as well:
same-security-traffic permit inter-interface

But I must be missing something basic here because I can't even attach a computer to ethernet 0/6, assigned with an IP of and ping my ASA at, all I get is destination unreachable errors.

Can anyone offer some advice on what I've missed?

Question by:deanavey
    LVL 34

    Expert Comment

    by:Istvan Kalmar
    do you have security license?
    LVL 34

    Expert Comment

    by:Istvan Kalmar
    could you show me the whole config?

    Author Comment

    Here's a cleaned up configuration:

    : Saved
    ASA Version 7.2(2)
    domain-name default.domain.invalid
    enable password /rLDw.WE6STAh.8y encrypted
    name Romp1 description Romp IP 1
    interface Vlan1
     nameif inside
     security-level 100
     ip address
    interface Vlan2
     nameif outside
     security-level 0
     ip address 12.x.x.x
    interface Vlan3
     no nameif
     security-level 100
     ip address
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
     switchport access vlan 3
    interface Ethernet0/7
    passwd uCtg7JiTzVf4ijl6 encrypted
    ftp mode passive
    dns server-group DefaultDNS
     domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    access-list noNAT extended permit ip
    access-list noNAT extended permit ip any
    access-list noNAT extended permit ip
    access-list noNAT extended permit ip
    access-list sym extended permit ip
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list noNAT
    nat (inside) 1
    access-group outside_in in interface outside
    route outside 12.x.x.97 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http inside
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet inside
    telnet timeout 45
    ssh inside
    ssh outside
    ssh outside
    ssh timeout 45
    console timeout 0

    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp

    And a show version gives:

    Cisco Adaptive Security Appliance Software Version 7.2(2)
    Device Manager Version 5.2(2)

    Compiled on Wed 22-Nov-06 14:16 by builders
    System image file is "disk0:/asa722-k8.bin"
    Config file at boot was "startup-config"

    ciscoasa up 1 day 3 hours

    Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash LHF00L47 @ 0xffe00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                                 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
     0: Int: Internal-Data0/0    : address is 001b.5312.2063, irq 11
     1: Ext: Ethernet0/0         : address is 001b.5312.205b, irq 255
     2: Ext: Ethernet0/1         : address is 001b.5312.205c, irq 255
     3: Ext: Ethernet0/2         : address is 001b.5312.205d, irq 255
     4: Ext: Ethernet0/3         : address is 001b.5312.205e, irq 255
     5: Ext: Ethernet0/4         : address is 001b.5312.205f, irq 255
     6: Ext: Ethernet0/5         : address is 001b.5312.2060, irq 255
     7: Ext: Ethernet0/6         : address is 001b.5312.2061, irq 255
     8: Ext: Ethernet0/7         : address is 001b.5312.2062, irq 255
     9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
    10: Int: Not used            : irq 255
    11: Int: Not used            : irq 255

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs                       : 3, DMZ Restricted
    Inside Hosts                : Unlimited
    Failover                    : Disabled
    VPN-DES                     : Enabled
    VPN-3DES-AES                : Enabled
    VPN Peers                   : 10
    WebVPN Peers                : 2
    Dual ISPs                   : Disabled
    VLAN Trunk Ports            : 0

    This platform has a Base license.

    Serial Number: JMX1108K0Q0
    Running Activation Key: 0x0d3e327d 0xc418ca7f 0x1ca24dac 0x8decd0c4 0x832fdf8f
    Configuration register is 0x1
    Configuration last modified by enable_15 at 08:20:19.401 UTC Tue Jan 5 2010

    Author Comment

    Maybe I found my own answer. Cisco has the following that seems to say I can't do what I want since I'm on the Base Platform license:

    Base Platform  Transparent Mode
     Up to two active VLANs.
    Routed Mode
     Up to three active VLANs. The DMZ VLAN is restricted from initiating traffic to the inside VLAN.
    Security Plus License  Transparent Mode
     Up to three active VLANs, one of which must be used for failover.
    Routed Mode
     Up to 20 active VLANs. For example, you can allocate each physical port to a separate VLAN, such as Outside, DMZ 1, DMZ 2, Engineering, Sales, Customer Service, Finance, and HR. Because there are only 8 physical ports, the additional VLANs are useful for assigning to trunk ports, which aggregate multiple VLANs on a single physical port.
    LVL 4

    Expert Comment

    Give that interface a name and also include a "global(INTNAME) 1 interface"

    Author Comment

    Trying to add a nameif gives this error:

    ERROR: This license does not allow configuring more than 2 interfaces with
    nameif and without a "no forward" command on this interface or on 1 interface(s)
    with nameif already configured.

    LVL 4

    Accepted Solution

    There it is.. license problem, like you said.

    You might want to try configuring the physical interfaces instead of the VLANs and see if that helps at all.  Maybe it''s just an issue with the number of VLANs on that license. Couldnt hurt to try...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now