asked on
ASA
I have an ASA with 3 vlans. The 3rd vlan has a status of down even though I have given it the no shutdown command on the vlan interface? Any ideas?
Cisco
Last Comment
Benjamin Van Ditmars
No interfaces assigned to the vlan?
ASKER
I havent assigned any interfaces yet to the vlan.....
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I was able to add a third vlan, it just says status down when I do a "show switch vlan". I will log in now and try to assign an interface to the vlan.
ASKER
I just want the 3rd vlan to be this small network for the 2 exchange servers 2nd nic. They will only talk to each other on this vlan....would that work on this ASA?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
So I can have the 3rd vlan but I have to have a no forward staatement to the inside vlan???
Correct. With the basic licence of 5505 we cannot access the DMZ (third VLAN) from Inside. To lift that restriction you need security plus licence.
ASKER
Hmm, I added an onterface to this vlan. It now says staus up, but when I ping the ip of the vlan interface all I get back is ????? from the ping. And this is from inside the asa.
ASKER
How do I determine if I have a basic license or not?
ASKER
oh nevermind...show activation-key detail
Run sh ver command in CLI or in License tab of Device information in ASDM
ASKER
OK, 1 more time so I am clear.
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.10.11 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
no nameif
security-level 100
ip address 192.168.60.1 255.255.255.0
So from inisde my asa I ping 192.168.60.1 (VLAN 3 IP) and I get back
ping 192.168.60.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.60.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
So that is usposed to happen? I cannot ping internally from asa to vlan3?
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.10.11 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
no nameif
security-level 100
ip address 192.168.60.1 255.255.255.0
So from inisde my asa I ping 192.168.60.1 (VLAN 3 IP) and I get back
ping 192.168.60.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.60.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
So that is usposed to happen? I cannot ping internally from asa to vlan3?
Correct. That's the limitation of Base license - you can access outside from the DMZ (your VLAN 3) but you cannot access inside interface. To lift that limitation you need security plus licence
ASKER
Where can I buy and download the security plus license?
Any Cisco dealer, depending on your location. The licence is just an activation key that you will have to enter on the firewall.
With the asa5505 with a basic os you can make a thrid vlan, that has access to the LAN or WAN interface. but not both. this is the ristricted DMZ but if you need 2 exchange servers to talk to the other why not create a vlan on a swicht ?. this is much cheaper