We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 588 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


312 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Question:

    Why I can not create sub-interfaces if I have the security plus license?
    Maximum Physical Interfaces : 8 perpetual
    VLANs : 20 DMZ Unrestricted
    Dual ISPs : Enabled perpetual
    VLAN Trunk Ports : 8 perpetual
    Inside Hosts : Unlimited perpetual
    Failover : Active/Standby perpetual
    VPN-DES : Enabled perpetual
    VPN-3DES-AES : Enabled perpetual
    AnyConnect Premium Peers : 2 perpetual
    AnyConnect Essentials : Disabled perpetual
    Other VPN Peers : 25 perpetual
    Total VPN Peers : 25 perpetual
    Shared License : Disabled perpetual
    AnyConnect for Mobile : Disabled perpetual
    AnyConnect for Cisco VPN Phone : Disabled perpetual
    Advanced Endpoint Assessment : Disabled perpetual
    UC Phone Proxy Sessions : 2 perpetual
    Total UC Proxy Sessions : 2 perpetual
    Botnet Traffic Filter : Disabled perpetual
    Intercompany Media Engine : Disabled perpetual

    This platform has an ASA 5505 Security Plus license.
    Please advise

  2. Hi Aaron,

    It really depends on what you are trying to achieve. If you have a small network then an INSIDE, DMZ and OUTSIDE zone might be all that you need. If you require more zones then you'll need to use VLANs since the ASA doesn't have that many interfaces.


  3. Hello Zahan.

    By default the ASA treats its interfaces as access ports and supports a single VLAN (with no tagging of frames). So if you haven't made any changes to the ASA port, it should be in access mode. So if both the switch and the ASA are configured correctly, and you have access ports configured on both ends, the connection should work. Look over your configuration on both interfaces (the ASA and the switch) to confirm you've got it correctly configured. If you still have problems, copy and paste the relevant portions of the config so we can take a look. Only the relevant portions please, not the whole configuration. :slight_smile:

    I hope this has been helpful!


  4. Hi Rene,

    I am facing with some issue in intervlan routing at ASA 5585.Is there any command to add in intervlan Routing.
    Already configured with "same-security-traffic permit inter-interface" and "same-security-traffic permit intra-interface".

  5. Hi Rene,

    I'm a newbie in need of config help involving a catalyst 4500x and ASA5512X.
    I will be managing 4500x that is connected to my DataCenter provider's ASA 5512x.

    Here are the details:
    All internal routing is done on the 4500x.
    Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)

    VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
    -- / 29

    4500x config:

    interface TenGigabitEthernet1/1/17
     switchport mode trunk
     switchport trunk allowed vlan 500
    interface TenGigabitEthernet2/1/17
     switchport mode trunk
     switchport trunk allowed vlan 500
    --VLAN 69 ( /24)
    Interface TenGigabitEthernet1/1/4
     description Test Server
     switchport access vlan 69
     switchport mode access
     spanning-tree portfast
    interface Vlan69
     ip address
    interface Vlan500
     ip address
    -- Default gateway

    --ASA 5512x config:

    interface GigabitEthernet0/1
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/1.500
     vlan 500
     nameif inside
     security-level 100
     ip address standby 
    access-list inside_in extended permit ip any 
    object network obj-
     nat (inside,outside) dynamic interface
    route inside 1

    My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
    From the 4500x, I can ping and .2.
    I can't ping any public address.
    No internet access from the server.

    What's missing or needs to change on either ends? Is trunking on the ASA really necessary?
    Please advise.


35 more replies! Ask a question or join the discussion by visiting our Community Forum