We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 581 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


295 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Question:

    Why I can not create sub-interfaces if I have the security plus license?
    Maximum Physical Interfaces : 8 perpetual
    VLANs : 20 DMZ Unrestricted
    Dual ISPs : Enabled perpetual
    VLAN Trunk Ports : 8 perpetual
    Inside Hosts : Unlimited perpetual
    Failover : Active/Standby perpetual
    VPN-DES : Enabled perpetual
    VPN-3DES-AES : Enabled perpetual
    AnyConnect Premium Peers : 2 perpetual
    AnyConnect Essentials : Disabled perpetual
    Other VPN Peers : 25 perpetual
    Total VPN Peers : 25 perpetual
    Shared License : Disabled perpetual
    AnyConnect for Mobile : Disabled perpetual
    AnyConnect for Cisco VPN Phone : Disabled perpetual
    Advanced Endpoint Assessment : Disabled perpetual
    UC Phone Proxy Sessions : 2 perpetual
    Total UC Proxy Sessions : 2 perpetual
    Botnet Traffic Filter : Disabled perpetual
    Intercompany Media Engine : Disabled perpetual

    This platform has an ASA 5505 Security Plus license.
    Please advise

  2. Hi Rob,

    If you go from a high security level to a low security level then you won't need an access-list. R1 will be able to reach R2, there's no need to configure anything else. You could however restrict this with an access-list.

    If you want to permit traffic from R2 to R1 then you'll need an access-list since you go from a low to a higher security level.


  3. Hi Mark,

    By default, all traffic from a higher security level (OUTSIDE) to a lower security level (INSIDE) will be dropped. The only thing you have to do is to create an access-list and permit the traffic you want. Take a look at this example:


    Look for the "Permit Traffic to DMZ" section. Instead of the DMZ, it will be INSIDE for you.

    The ASA will use regular routing to select the egress interface. Let's say you have an INSIDE gi0/1.10 sub-interface with IP address on it. If you receive a packet on one of your OUTSIDE sub-interfaces with source and destination then it will forward the packet on your gi0/1.10 sub-interface (if it is permitted with an access-list).

    Since ASA 9.4, it is also possible to use PBR (Policy Based Routing) to overrule default routing behavior btw.


  4. Hi Rene,

    I am facing with some issue in intervlan routing at ASA 5585.Is there any command to add in intervlan Routing.
    Already configured with "same-security-traffic permit inter-interface" and "same-security-traffic permit intra-interface".

  5. Hi Rene,

    I'm a newbie in need of config help involving a catalyst 4500x and ASA5512X.
    I will be managing 4500x that is connected to my DataCenter provider's ASA 5512x.

    Here are the details:
    All internal routing is done on the 4500x.
    Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)

    VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
    -- / 29

    4500x config:

    interface TenGigabitEthernet1/1/17
     switchport mode trunk
     switchport trunk allowed vlan 500
    interface TenGigabitEthernet2/1/17
     switchport mode trunk
     switchport trunk allowed vlan 500
    --VLAN 69 ( /24)
    Interface TenGigabitEthernet1/1/4
     description Test Server
     switchport access vlan 69
     switchport mode access
     spanning-tree portfast
    interface Vlan69
     ip address
    interface Vlan500
     ip address
    -- Default gateway

    --ASA 5512x config:

    interface GigabitEthernet0/1
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/1.500
     vlan 500
     nameif inside
     security-level 100
     ip address standby 
    access-list inside_in extended permit ip any 
    object network obj-
     nat (inside,outside) dynamic interface
    route inside 1

    My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
    From the 4500x, I can ping and .2.
    I can't ping any public address.
    No internet access from the server.

    What's missing or needs to change on either ends? Is trunking on the ASA really necessary?
    Please advise.


35 more replies! Ask a question or join the discussion by visiting our Community Forum