ASA 5505 external interface dying

Hi,
We have an ASA 5505 ( version 9.1(2) ) that frequently stopped functioning ie the external interface refuses to pass any traffic , ASDM wont connect,etc.
The internal interface does continue to function and if we SSH into the unit and do a reload , everything springs back into life again.
What are the best steps to troubleshooting and finding a fix to this problem?
Chris

Hi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun

Similar Messages

How do I block pings from the outside to the ASA 5505 outside interface?

I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

You are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric

ASA 5505 backup interface

Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: end

Hi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun

Input and CRC errors on ASA 5505 outside interface

All,
I see input and crc errors on my ASA 5505 eth0/0(outside) interface and packet drops. There is very slow connection though we have 20mb line. ISP also sees the issue on the Lan interface side. We have the speed and duplex configured same on both ISP and our end.
I am suspecting if this is Physical cable issue. Please suggest.
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 001a.b4c9.f3d9, MTU not set
        IP address unassigned
        158138067 packets input, 141061681082 bytes, 0 no buffer
        Received 183037 broadcasts, 0 runts, 0 giants
        19642 input errors, 19642 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        144684 switch ingress policy drops
        124291353 packets output, 38197278051 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops

Hello Ravi,
This kind of issues CRCs/ Input Errors are tipically known as L1 issues so make sure you check the cable and if that does not make a difference change the port on each side to see if there is a difference.
Unfortunetly the ASA does not support the Time-Domain Reflectometer feature so we must do the test of L1 by ourselfs.
Can you clear the counters of the interface, test the changes provided and provide us some feedback?
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

Firewall Cisco ASA 5505 new interface license problem

Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0         : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1         : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2         : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3         : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4         : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5         : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6         : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7         : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

Hi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni

ASA 5505: Outside Interface Becomes Inaccessible

Greetings --
I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side. AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA. Internally, I can ping the IP address and I can ssh into the ASA.
The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM. To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
Any ideas why the lockouts are occuring? Is it possible my ISP is shutting down the IP?
Below is the configs to the ASA:
hostname psa-asa
enable password IqUJj3NwPkd63BO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
name 192.168.1.20 dbserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.43 255.255.255.0
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list outside_access_in extended permit ip host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 162.134.70.20
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
    308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
    0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
    092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
    3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
    7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
    2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
    02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
    deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
    61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
    86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
    0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
    67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
    c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
    6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
    a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
    62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
    434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
    f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
    14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
    2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
    6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
    f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
    681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PSA-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
username user1 password ks88YmM0AaUUmhfU encrypted privilege 0
username user1 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0
username user2 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user3 password lQ8frBN8p.5fQvth encrypted privilege 15
username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15
username user4 attributes
vpn-group-policy SSLClientPolicy
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
service-type admin
username user5 password PElMTjYTU7c1sXWr encrypted privilege 0
username user5 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user6 password /zt/9z7XUifQbEsA encrypted privilege 0
username user6 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user7 password aEGh.k89043.2NUa encrypted privilege 0
username user7 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PSA-SSL-VPN type remote-access
tunnel-group PSA-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PSA-SSL-VPN webvpn-attributes
group-alias PSA_VPN enable
group-url https://xxx.xxx.xxx.43/PSA_VPN enable
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841

Hi,
I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
I sometime use it personally when testing different stuff on my home ASA.
It naturally isnt a real option if you actuall setup a separate Syslog server.
You wouldnt really need to add much to your logging configuration
logging device-id hostname
logging trap informational
logging host
Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
Though the above would generate a lot of logging.
I am not even 100% sure it would log anything when you are facing the problem.
Best would be to also troubleshoot while the problem is there.
Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
- Jouni

Asa 5505 sub interface plus ports

I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
You find more on this topic on the Config-Guide:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

Asa 5505 transparent firewall issue

hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
now i add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
i conigured vlan1 -- inside and vlan 2 as outside in asa 5505
in my uc 560 data is vlan 1 and my voice is vlan 100.
when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.

hi rojas,
here is my problem,
my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
my data vlan1 is 192.168.123.x
and my voice vlan100 is 10.1.1.x
and the firewall ip 192.168.123.3

ASA 5505: unable to ping external hosts

Hi,
I have a LAN behind ASA 5505, interface NAT/PAT is configured.
External interface is configured for PPPoE.
Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
icmp permit any inside
icmp permit any outside
access-list outside_access_in extended permit icmp any any
Protocol inspections and fixups are default.
When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
Where 202.xx.yy.zz is IP of external interface of ASA.
This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
Any help will be highly appreciated.
Thank you.
Alex

Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside
or icmp inspection instead of acl.
policy-map global_policy
class inspection_default
inspect icmp
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
HTH
Jorge

ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard. I am currently unable to access services on the outside of the ASA.
The error: 'Failed to locate egress interface for UDP from inside'.... appears when ever my DNS server attempts a lookup.
I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config.
If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration.
Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet. I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access.
Full config follows, screen shots attached, any help would be very gratefully received.
Result of the command: "sh run"
: Saved
ASA Version 9.0(1)
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
interface Vlan5
no nameif
security-level 50
ip address dhcp
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server1
host 192.168.10.10
object network GoogleDNS1
host 8.8.8.8
description Google DNS Server
object network GoogleDNS2
host 8.8.4.4
description Google DNS Server
object network 192.168.10.x
subnet 192.168.10.0 255.255.255.0
object network InternetRouter
host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
network-object object GoogleDNS1
network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: end

Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet.
Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

ASA 5505 Interface Security Level Question

I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: end

Hi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

Using an ASA 5505 for firewall and VPN. We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
The devices complete the connection and authenticate fine, but then are unable to hit any internal resources. Split tunneling seems to be working, as they can still hit outside resources. Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24). Even the NAT translation looks good in packet tracer.
I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.) This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses. Details:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
current_peer: [VPN CLIENT ADDRESS], username: vpnuser
dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 05BFAE20
current inbound spi : CF85B895
inbound esp sas:
spi: 0xCF85B895 (3481647253)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFD
outbound esp sas:
spi: 0x05BFAE20 (96448032)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any ideas? The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?

Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword.

ASA 5505 Unable to assign ip to DMZ vlan interface

hi all,
I have ASA 5505 with base license.
I created 3rd vlan on it.it was created.
but i am unable to assign IP to it.
i assign ip address it takes it.
But when i do sh int ip brief it does not show any ip.
ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0/0                unassigned      YES unset up                    up
Ethernet0/1                unassigned      YES unset up                    up
Ethernet0/2                unassigned      YES unset up                    up
Ethernet0/3                unassigned      YES unset administratively down down
Ethernet0/4                unassigned      YES unset administratively down down
Ethernet0/5                unassigned      YES unset administratively down down
Ethernet0/6                unassigned      YES unset administratively down down
Ethernet0/7                unassigned      YES unset administratively down down
Internal-Data0/0           unassigned      YES unset up                    up
Internal-Data0/1           unassigned      YES unset up                    up
Vlan1                      192.168.1.1     YES CONFIG up                    up
Vlan2                      192.168.11.2    YES CONFIG up                    up
Vlan3                      unassigned      YES manual up                    up*************************************************************
Virtual0                   127.0.0.1       YES unset up                    up
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# ip ad
ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
ciscoasa(config-if)# end
ciscoasa# wr mem
Building configuration...
Cryptochecksum: 808baaba ced2a226 07cfb41f 9f6ec4f8
4608 bytes copied in 1.630 secs (4608 bytes/sec)
[OK]
ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0/0                unassigned      YES unset up                    up
Ethernet0/1                unassigned      YES unset up                    up
Ethernet0/2                unassigned      YES unset up                    up
Ethernet0/3                unassigned      YES unset administratively down down
Ethernet0/4                unassigned      YES unset administratively down down
Ethernet0/5                unassigned      YES unset administratively down down
Ethernet0/6                unassigned      YES unset administratively down down
Ethernet0/7                unassigned      YES unset administratively down down
Internal-Data0/0           unassigned      YES unset up                    up
Internal-Data0/1           unassigned      YES unset up                    up
Vlan1                      192.168.1.1     YES CONFIG up                    up
Vlan2                      192.168.11.2    YES CONFIG up                    up
Vlan3                      unassigned      YES manual up                    up
Virtual0                   127.0.0.1       YES unset up                    up
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 17 hours
Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is 001d.a24d.ed0e, irq 11
1: Ext: Ethernet0/0         : address is 001d.a24d.ed06, irq 255
2: Ext: Ethernet0/1         : address is 001d.a24d.ed07, irq 255
3: Ext: Ethernet0/2         : address is 001d.a24d.ed08, irq 255
4: Ext: Ethernet0/3         : address is 001d.a24d.ed09, irq 255
5: Ext: Ethernet0/4         : address is 001d.a24d.ed0a, irq 255
6: Ext: Ethernet0/5         : address is 001d.a24d.ed0b, irq 255
7: Ext: Ethernet0/6         : address is 001d.a24d.ed0c, irq 255
8: Ext: Ethernet0/7         : address is 001d.a24d.ed0d, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
<--- More --->
Need to know does this License support IP to 3rd vlan ?
Thanks
Mahesh

Hi Julio,
I tried to config namef if but here is result
ciscoasa# sh run int vlan 3
interface Vlan3
description DMZ to 3550 New Switch
no nameif
security-level 50
ip address 192.168.12.2 255.255.255.0
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# name
ciscoasa(config-if)# namei
ciscoasa(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.

ASA 5505 external interface dying

Similar Messages

Maybe you are looking for