« Passing non-IP Traffic over IPSEC VPN using GRE over IPSEC

Cisco ASA 5505 Vlans and Licensing

Sponsored Links

The eight physical network interfaces of the Cisco ASA 5505 firewall appliance can be divided into groups that function as separate security zone networks. Each group is a Layer 2 Vlan. Devices in the same group (Vlan) can communicate directly between them without passing through the security control of the firewall. On the other hand, devices between different Vlans can only communicate with each other by passing the traffic through the adaptive security appliance where relevant security policies are applied. By default, there are two Vlans (VLAN1 and VLAN2) preconfigured on the firewall by default. Port Ethernet0/0 belongs to VLAN2 and ports Ethernet0/1 to 0/7 belong to VLAN1. For example, when a switch port on VLAN1 is communicating with a switch port on VLAN2, the adaptive security appliance applies configured security policies to the traffic and routes or bridges the traffic between the two VLANs. Usually Port Ethernet0/0 connects to the outside untrusted interface (Internet), and ports Ethernet0/1 to 0/7 connect to the inside trusted network zone.

The license installed on the 5505 firewall determines the number of active VLANs allowed on the appliance as described below:

Basic ASA 5505 License:

The basic license allows only 3 active VLANs which you can use as Inside, Outside and DMZ. However, there is a restriction here that many people do not know about: The DMZ VLAN can access ONLY the Outside VLAN but can not access the Inside VLAN. The other two VLANs (Inside and Outside) can access all the other VLANs with no problems.

Security Plus ASA 5505 License:

The Security Plus license, removes all limitations and allows up to 20 active VLANs to be configured. Since there are only 8 physical ports, you can create several vlan subinterfaces on each physical port to segment your network into different security zones (e.g Inside, Outside, DMZ1, DMZ2, Sales, Engineering etc).