designetwork(EN)

IT technical memo of networking

Resolve VLAN nameif setting error with ASA 5505 of basic license

f:id:daichi703n:20170116224342j:plain

With the basic license, the Cisco ASA 5505 can set up to three VLANs. However, if you try to set it normally, you will get an error when setting nameif in the third VLAN. Describe how to resolve the error and set nameif in the third VLAN.

The price of second-hand of the Cisco ASA 5505 is decreasing, and it is becoming easier to introduce as a home Internet connection router. By this procedure DMZ can be constructed, and it is safe to publish the service to the Internet.

Home network diagram

Because ASA 5505 is a basic license, VLAN trunk setting is not possible. Up to 20 VLAN with extended license, trunk connection is also possible. Therefore, each VLAN is connected to Cat 2960 by access, and ASA 5505 is used only as a routing point.

ASA 5505(basic license)
|V1 |V50 |V99
Cat 2960(all ASA connections are access)
|V1 |V50 |V99
PC SV ONU

VLANs

1 : management(inside)
50: dmz
99: outside(internet)

ASA5505# sh run int vlan 1
!
interface Vlan1
 nameif management
 security-level 100
 ip address 192.168.1.5 255.255.255.0 
ASA5505# sh run int vlan 99
!
interface Vlan99
 description internet
 nameif outside
 security-level 0
 pppoe client vpdn group nifty
 ip address pppoe setroute 

Error contents

Attempting to set nameif in the VLAN results in the following error. In the case of the basic license, only one of the VLANs set up earlier can be accessed from the third VLAN.

ASA5505# conf t
ASA5505(config)# int vlan 50
ASA5505(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with 
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.

Error avoidance setting procedure

The Cisco support community also has a description of the procedure.

ASA 5505 Unable to assign ip to DMZ vlan interface | Firewalling | Cisco Support Community

By forbidding the transfer from DMZ to inside, nameif can be set and communication becomes possible.

ASA5505# conf t
ASA5505(config)# int vlan 50
ASA5505(config-if)# no forward interface vlan 1
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config-if)# ip address 192.168.50.1 255.255.255.0
ASA5505(config-if)# end
ASA5505# sh run int vlan 50
!
interface Vlan50
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.50.1 255.255.255.0 
ASA5505# 

For access to the Internet, NAPT setting is necessary like inside. Depending on FW design, ACL application is also necessary. (Controlled by Security Level in this example)

ASA5505# sh run | grep Internet
object-group network Internet-PAT
nat (management,outside) source dynamic Internet-PAT interface
ASA5505# conf t
ASA5505(config)# nat (dmz,outside) source dynamic Internet-PAT interface
ASA5505(config)# end

Conclusion - Resolve VLAN nameif configuration error with ASA 5505 of basic license

By setting the no forward command to the third VLAN, the VLAN nameif setting error on the basic license Cisco ASA 5505 has been resolved. This enables general network configuration of inside, outside, dmz.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork