KB ID 0001367
Problem
When attempting to bring up a ‘3rd VLAN’ on an ASA 5505 firewall you see an error like this;
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# int vlan 3
Petes-ASA(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
Petes-ASA(config-if)#
[/box]
Or if you work in the ASDM;
Or on much older versions;
Solution
This is because you have a ‘licence limitation’. The BASE licence on an ASA 5505 firewall lets you have three VLANS, BUT the 3rd vlan can only be accessed from OUTSIDE which gives it the name ‘DMZ Restricted’. It was designed for that very reason, (to let you host a DMZ.) You can see that, by simply issuing a ‘show version‘ command’;
[box]
Petes-ASA(config)# show version ——Output removed for the sake of brevity—— Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 50 Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 This platform has a Base license. ——Output removed for the sake of brevity——
[/box]
Or in the ASDM > Home > Licence.
So if you need more VLANS, and you don’t simply want a DMZ, then you are going to need to upgrade the licence. But if you do need a DMZ read on….
At command line you simply need to define the interface, (VLAN) that you want to BLOCK FORWARDING FROM. (i.e. the inside vlan, which is usually vlan1)
[box]
Petes-ASA(config)# interface vlan 3 Petes-ASA(config-if)# no forward interface vlan 1 Petes-ASA(config-if)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default. Petes-ASA(config-if)# no shutdown Petes-ASA(config-if)# ip address 192.168.100.254 255.255.255.0 Petes-ASA(config-if)# interface ethernet 0/3 Petes-ASA(config-if)# switchport access vlan 3 Petes-ASA(config-if)# no shut
[/box]
Note: Above I’m allocating VLAN 3 to the physical interface labelled 3 on the firewall.
In the ASDM, you need to do this on the ‘Advanced‘ tab when creating the interface, like so;
Note: If you ever try and remove the block, (without purchasing a licence.) You will see this error;
Related Articles, References, Credits, or External Links
NA