With the basic license, the Cisco ASA 5505 can set up to three VLANs. However, if you try to set it normally, you will get an error when setting nameif in the third VLAN. Describe how to resolve the error and set nameif in the third VLAN.
The price of second-hand of the Cisco ASA 5505 is decreasing, and it is becoming easier to introduce as a home Internet connection router. By this procedure DMZ can be constructed, and it is safe to publish the service to the Internet.
- Home network diagram
- Error contents
- Conclusion - Resolve VLAN nameif configuration error with ASA 5505 of basic license
Home network diagram
Because ASA 5505 is a basic license, VLAN trunk setting is not possible. Up to 20 VLAN with extended license, trunk connection is also possible. Therefore, each VLAN is connected to Cat 2960 by access, and ASA 5505 is used only as a routing point.
ASA 5505(basic license)
|V1 |V50 |V99
Cat 2960(all ASA connections are access)
|V1 |V50 |V99
PC SV ONU
VLANs
1 : management(inside)
50: dmz
99: outside(internet)
ASA5505# sh run int vlan 1 ! interface Vlan1 nameif management security-level 100 ip address 192.168.1.5 255.255.255.0 ASA5505# sh run int vlan 99 ! interface Vlan99 description internet nameif outside security-level 0 pppoe client vpdn group nifty ip address pppoe setroute
Error contents
Attempting to set nameif in the VLAN results in the following error. In the case of the basic license, only one of the VLANs set up earlier can be accessed from the third VLAN.
ASA5505# conf t ASA5505(config)# int vlan 50 ASA5505(config-if)# nameif dmz ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.
Error avoidance setting procedure
The Cisco support community also has a description of the procedure.
Solved: ASA 5505 Unable to assign ip to DMZ vlan interface - Cisco Community
By forbidding the transfer from DMZ to inside, nameif can be set and communication becomes possible.
ASA5505# conf t ASA5505(config)# int vlan 50 ASA5505(config-if)# no forward interface vlan 1 ASA5505(config-if)# nameif dmz ASA5505(config-if)# security-level 50 ASA5505(config-if)# ip address 192.168.50.1 255.255.255.0 ASA5505(config-if)# end ASA5505# sh run int vlan 50 ! interface Vlan50 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.50.1 255.255.255.0 ASA5505#
For access to the Internet, NAPT setting is necessary like inside. Depending on FW design, ACL application is also necessary. (Controlled by Security Level in this example)
ASA5505# sh run | grep Internet object-group network Internet-PAT nat (management,outside) source dynamic Internet-PAT interface ASA5505# conf t ASA5505(config)# nat (dmz,outside) source dynamic Internet-PAT interface ASA5505(config)# end
Conclusion - Resolve VLAN nameif configuration error with ASA 5505 of basic license
By setting the no forward command to the third VLAN, the VLAN nameif setting error on the basic license Cisco ASA 5505 has been resolved. This enables general network configuration of inside, outside, dmz.