ASA5505 and DMZ

Unanswered Question
Jun 9th, 2007

I am very familiar with the PIX, but new to ASA5500's.

I have a company that is looking to have a DMZ with mail, and web servers. The connection to the Net is a T1.

In the PIX days, I have no choice but to use a 515 with DMZ.

My understanding now is that I can have this on an ASA5505 with the Security Plus option to have a DMZ.


1. Is this the right assumption that I can get an ASA5505 with Security Plus for a full DMZ?

2. How many DMZ interfaces? I really only need one and put a switch behind it

3. Does the ASA5505 allow VPN tunnels to be established to it, and also allow Internet access through the same interface? I know in the PIX, that was not allowed.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rodrigo Gurriti Sat, 06/09/2007 - 17:02

Well I know that Security Plus allow you to have dmz but i'm not 100% that you can have dmz'S.

I have an ASA5505-50-BUN-K9 running with 3 vpn tunnels all my users can use the internet at the same time with no problem.

pcomeaux Sun, 06/10/2007 - 05:13

Hi -

Let me try to help.

Q1 - Yes

Q2 - Security Plus license provides 20 vlan interfaces. If you use 1 for outside, 1 for inside, that leaves you 18 left to do what you'd like to. Obviously, you would need to trunk to a switch to use more vlans than the included 8 interfaces.

Q3 - Yes, so does the Pix. Both the ASA and the Pix need "same security level traffic" enabled. The ASA/Pix code denies traffic between the same security level by default, which is the case when VPN users attempt to HairPin and go back to the internet through the same interface they terminate on.

Let us know if you have follow up questions.




This Discussion