?
Solved

How to configure a second subnet on Cisco ASA 5505

Posted on 2010-01-05
7
Medium Priority
?
1,624 Views
Last Modified: 2012-05-08
I've tried to setup a second subnet in my office on the Cisco ASA 5505 by configuring Eth 0/6 and vlan3 as follows:

interface Vlan3
 no nameif
 security-level 100
 ip address 10.211.0.3 255.255.255.0

interface Ethernet0/6
 switchport access vlan 3

As I'd like to have both subnets be able to talk to each other I did this as well:
same-security-traffic permit inter-interface

But I must be missing something basic here because I can't even attach a computer to ethernet 0/6, assigned with an IP of 10.211.0.100 and ping my ASA at 10.211.0.3, all I get is destination unreachable errors.

Can anyone offer some advice on what I've missed?

0
Comment
Question by:deanavey
  • 3
  • 2
  • 2
7 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26183393
do you have security license?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26183413
could you show me the whole config?
0
 

Author Comment

by:deanavey
ID: 26183534
Here's a cleaned up configuration:

: Saved
:
ASA Version 7.2(2)
!
domain-name default.domain.invalid
enable password /rLDw.WE6STAh.8y encrypted
names
name 10.5.0.15 Romp1 description Romp IP 1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.5.0.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.x.x.x 255.255.255.240
!
interface Vlan3
 no nameif
 security-level 100
 ip address 10.211.0.3 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
!
passwd uCtg7JiTzVf4ijl6 encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list noNAT extended permit ip 10.5.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list noNAT extended permit ip any 10.21.0.0 255.255.255.192
access-list noNAT extended permit ip 10.5.0.0 255.255.255.0 10.51.0.0 255.255.255.0
access-list noNAT extended permit ip 10.211.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list sym extended permit ip 10.211.0.0 255.255.255.0 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list noNAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.5.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 45
ssh 0.0.0.0 0.0.0.0 inside
ssh 24.7.251.250 255.255.255.255 outside
ssh 65.41.207.190 255.255.255.255 outside
ssh timeout 45
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

And a show version gives:

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 day 3 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash LHF00L47 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001b.5312.2063, irq 11
 1: Ext: Ethernet0/0         : address is 001b.5312.205b, irq 255
 2: Ext: Ethernet0/1         : address is 001b.5312.205c, irq 255
 3: Ext: Ethernet0/2         : address is 001b.5312.205d, irq 255
 4: Ext: Ethernet0/3         : address is 001b.5312.205e, irq 255
 5: Ext: Ethernet0/4         : address is 001b.5312.205f, irq 255
 6: Ext: Ethernet0/5         : address is 001b.5312.2060, irq 255
 7: Ext: Ethernet0/6         : address is 001b.5312.2061, irq 255
 8: Ext: Ethernet0/7         : address is 001b.5312.2062, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: JMX1108K0Q0
Running Activation Key: 0x0d3e327d 0xc418ca7f 0x1ca24dac 0x8decd0c4 0x832fdf8f
Configuration register is 0x1
Configuration last modified by enable_15 at 08:20:19.401 UTC Tue Jan 5 2010
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:deanavey
ID: 26184484
Maybe I found my own answer. Cisco has the following that seems to say I can't do what I want since I'm on the Base Platform license:

Base Platform  Transparent Mode
 Up to two active VLANs.
 
Routed Mode
 Up to three active VLANs. The DMZ VLAN is restricted from initiating traffic to the inside VLAN.
 
Security Plus License  Transparent Mode
 Up to three active VLANs, one of which must be used for failover.
 
Routed Mode
 Up to 20 active VLANs. For example, you can allocate each physical port to a separate VLAN, such as Outside, DMZ 1, DMZ 2, Engineering, Sales, Customer Service, Finance, and HR. Because there are only 8 physical ports, the additional VLANs are useful for assigning to trunk ports, which aggregate multiple VLANs on a single physical port.
 
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26186328
Give that interface a name and also include a "global(INTNAME) 1 interface"
0
 

Author Comment

by:deanavey
ID: 26190175
Trying to add a nameif gives this error:

ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.

0
 
LVL 4

Accepted Solution

by:
JDLoaner earned 500 total points
ID: 26194773
There it is.. license problem, like you said.

You might want to try configuring the physical interfaces instead of the VLANs and see if that helps at all.  Maybe it''s just an issue with the number of VLANs on that license. Couldnt hurt to try...
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question