ASA5505 – ‘This Licence Does Not Allow Configuring Of More Than 2 Interfaces’

KB ID 0001367

Problem

When attempting to bring up a ‘3rd VLAN’ on an ASA 5505 firewall you see an error like this;

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# int vlan 3
Petes-ASA(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
Petes-ASA(config-if)#

[/box]

Or if you work in the ASDM;

Or on much older versions;

 

Solution

This is because you have a ‘licence limitation’. The BASE licence on an ASA 5505 firewall lets you have three VLANS, BUT the 3rd vlan can only be accessed from OUTSIDE which gives it the name ‘DMZ Restricted’. It was designed for that very reason, (to let you host a DMZ.)  You can see that, by simply issuing a ‘show version‘ command’;

[box]

Petes-ASA(config)# show version
——Output removed for the sake of brevity——

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                     : 3, DMZ Restricted
Inside Hosts                 : 50
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

——Output removed for the sake of brevity——

[/box]

Or in the ASDM > Home  > Licence.

So if you need more VLANS, and you don’t simply want a DMZ, then you are going to need to upgrade the licence. But if you do need  a DMZ read on….

At command line you simply need to define the interface, (VLAN) that you want to BLOCK FORWARDING FROM. (i.e. the inside vlan, which is usually vlan1)

[box]

Petes-ASA(config)# interface vlan 3
Petes-ASA(config-if)# no forward interface vlan 1
Petes-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
Petes-ASA(config-if)# no shutdown
Petes-ASA(config-if)# ip address 192.168.100.254 255.255.255.0
Petes-ASA(config-if)# interface ethernet 0/3
Petes-ASA(config-if)# switchport access vlan 3
Petes-ASA(config-if)# no shut

[/box]

Note: Above I’m allocating VLAN 3 to the physical interface labelled 3 on the firewall.

In the ASDM, you need to do this on the ‘Advanced‘ tab when creating the interface, like so;

 

Note: If you ever try and remove the block, (without purchasing a licence.) You will see this error;

Related Articles, References, Credits, or External Links

NA