Cisco ASA 5505 Vlans and Licensing

The eight physical network interfaces of the Cisco ASA 5505 firewall appliance can be divided into groups that function as separate security zone networks. Each group is a Layer 2 Vlan. Devices in the same group (Vlan) can communicate directly between them without passing through the security control of the firewall. On the other hand, devices between different Vlans can only communicate with each other by passing the traffic through the adaptive security appliance where relevant security policies are applied. By default, there are two Vlans (VLAN1 and VLAN2) preconfigured on the firewall by default. Port Ethernet0/0 belongs to VLAN2 and ports Ethernet0/1 to 0/7 belong to VLAN1. For example, when a switch port on VLAN1 is communicating with a switch port on VLAN2, the adaptive security appliance applies configured security policies to the traffic and routes or bridges the traffic between the two VLANs. Usually Port Ethernet0/0 connects to the outside untrusted interface (Internet), and ports Ethernet0/1 to 0/7 connect to the inside trusted network zone.

 The license installed on the 5505 firewall determines the number of active VLANs allowed on the appliance as described below:

 Basic ASA 5505 License:

The basic license allows only 3 active VLANs which you can use as Inside, Outside and DMZ. However, there is a restriction here that many people do not know about: The DMZ VLAN can access ONLY the Outside VLAN but can not access the Inside VLAN. The other two VLANs (Inside and Outside) can access all the other VLANs with no problems.

 Security Plus ASA 5505 License:

The Security Plus license, removes all limitations and allows up to 20 active VLANs to be configured. Since there are only 8 physical ports, you can create several vlan subinterfaces on each physical port to segment your network into different security zones (e.g Inside, Outside, DMZ1, DMZ2, Sales, Engineering etc).

Related posts:

  1. Cisco ASA 5505 Firewall License Restriction for DMZ
  2. 5 Reasons to Buy a Cisco ASA 5505 from Amazon
  3. How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial
  4. How to upgrade Cisco ASA Firewall License
  5. How to Configure VLANs on a Cisco Switch
  6. How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall
  7. Cisco ASA 5500 new software 8.2 released


Comments (2)    Posted in Cisco Firewalls    

Subscribe RSS 2.0 feed. Leave a response, or Trackback from your own site.




2 Responses to 'Cisco ASA 5505 Vlans and Licensing'

  1. Sean - November 25th, 2011 at 7:04 pm

    Thanks for the info. So if I wanted to have 2 offices share a single internet connection I can setup 2 vlans with the base license as long as they don’t have to communicate between each other? I can still setup NAT / ACL for each vlan correct?

  2. Blog Admin - November 27th, 2011 at 4:31 pm

    yes that’s correct


Leave a Reply

cisco asa firewall ebook

Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus

CLICK HERE TO DOWNLOAD EBOOKS

Sponsored Links