We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 568 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

311 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Question:

    Why I can not create sub-interfaces if I have the security plus license?
    Maximum Physical Interfaces : 8 perpetual
    VLANs : 20 DMZ Unrestricted
    Dual ISPs : Enabled perpetual
    VLAN Trunk Ports : 8 perpetual
    Inside Hosts : Unlimited perpetual
    Failover : Active/Standby perpetual
    VPN-DES : Enabled perpetual
    VPN-3DES-AES : Enabled perpetual
    AnyConnect Premium Peers : 2 perpetual
    AnyConnect Essentials : Disabled perpetual
    Other VPN Peers : 25 perpetual
    Total VPN Peers : 25 perpetual
    Shared License : Disabled perpetual
    AnyConnect for Mobile : Disabled perpetual
    AnyConnect for Cisco VPN Phone : Disabled perpetual
    Advanced Endpoint Assessment : Disabled perpetual
    UC Phone Proxy Sessions : 2 perpetual
    Total UC Proxy Sessions : 2 perpetual
    Botnet Traffic Filter : Disabled perpetual
    Intercompany Media Engine : Disabled perpetual

    This platform has an ASA 5505 Security Plus license.
    Please advise

  2. Hi Rob,

    If you go from a high security level to a low security level then you won't need an access-list. R1 will be able to reach R2, there's no need to configure anything else. You could however restrict this with an access-list.

    If you want to permit traffic from R2 to R1 then you'll need an access-list since you go from a low to a higher security level.

    Rene

  3. Hi Rene,

    I am facing with some issue in intervlan routing at ASA 5585.Is there any command to add in intervlan Routing.
    Already configured with "same-security-traffic permit inter-interface" and "same-security-traffic permit intra-interface".

  4. Hi Rene,

    I'm a newbie in need of config help involving a catalyst 4500x and ASA5512X.
    I will be managing 4500x that is connected to my DataCenter provider's ASA 5512x.

    Here are the details:
    All internal routing is done on the 4500x.
    Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)

    VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
    -- 10.10.10.3 / 29

    4500x config:

    interface TenGigabitEthernet1/1/17
     switchport mode trunk
     switchport trunk allowed vlan 500
    
    interface TenGigabitEthernet2/1/17
     switchport mode trunk
     switchport trunk allowed vlan 500
    
    --VLAN 69 (192.168.69.2 /24)
    Interface TenGigabitEthernet1/1/4
     description Test Server
     switchport access vlan 69
     switchport mode access
     spanning-tree portfast
    
    interface Vlan69
     ip address 192.168.69.2 255.255.255.0
    
    interface Vlan500
     ip address 10.10.10.3 255.255.255.248
    
    -- Default gateway 10.10.10.1

    --ASA 5512x config:

    interface GigabitEthernet0/1
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/1.500
     vlan 500
     nameif inside
     security-level 100
     ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2 
    
    access-list inside_in extended permit ip 192.168.69.0 255.255.255.0 any 
    
    object network obj-192.168.69.0-24
     nat (inside,outside) dynamic interface
    
    route inside 192.168.69.0 255.255.255.0 192.168.69.2 1

    My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
    From the 4500x, I can ping 10.10.10.1 and .2.
    I can't ping any public address.
    No internet access from the server.

    What's missing or needs to change on either ends? Is trunking on the ASA really necessary?
    Please advise.

    Thanks!

  5. Hi @akosiron

    If you can ping from your server to the INSIDE ip address of your ASA, then at least you know your trunks/vlans are OK.

    The only reason to use a trunk, is if you need multiple VLANs between your ASA and switch. I see you only use VLAN 500, so it's not needed unless you plan to add more VLANs later.

    The ASA has this route:

    route inside 192.168.69.0 255.255.255.0 192.168.69.2 1

    How does it know how to get to 192.168.69.2? It's telling that to reach 192.168.69.0/24, you have to get to 192.168.69.2 (chicken and egg problem). The next hop should be 10.10.10.3, the IP address you use on your switch for the VLAN 500 interface.

    That's the one the ASA knows how to reach:

    interface GigabitEthernet0/1.500
     vlan 500
     nameif inside
     security-level 100
     ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2

    Rene

35 more replies! Ask a question or join the discussion by visiting our Community Forum