ASA 5505 without Security Plus license, setting up DMZ and/or server access

Unanswered Question
Jul 1st, 2009

Hi all --

A brief rundown of what I'm trying to do: An ASA 5505 without the security license sits in front of our office network. We have a block of five IPs from our ISP.

We need to allow relatively liberal access from outside to one server via three of the IP addresses.

We also need to eventually provide restricted access to one server on the inside network.

For now, since we don't have the security plus license, I've put the 3 IP server on the inside network and have tried to allow traffic to that box (see attached rule) but haven't been successful.

If anyone sees obvious issues with how I'm trying to set this up, or has suggestions on a more appropriate approach, your help would be appreciated.

I'm not a networking/router guy so I'm hoping that someone can point me in the right direction here. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Wed, 07/01/2009 - 11:16

I don't use the GUI, but I can tell you the CLI configuration. You can paste these in via ASDM though.

static (inside,outside) tcp public_ip 80 private_ip 80 netmask

Then you will need to allow the port in your ACL that is applied to your outside interface.

access-list outside_access ext permit tcp any host public_ip eq 80

These statements allow HTTP traffic, so you'll need to change them to fit your application.

Hope that helps.

emillerpdx Thu, 07/02/2009 - 08:06

Thanks for the tips! I'll give it a shot.

Just to make sure I understand this, it looks like they'd allow port 80 traffic on any inbound IP to pass through to a machine on the inside VLAN. If I want to restrict it to certain IPs bound to certain internal machines, I'd need to do additional rules...


Collin Clark Thu, 07/02/2009 - 08:08

You can alter the ACL. Let's say you only want the address of to access the webserver. The ACL would look like this-

access-list outside_access ext permit tcp host host public_ip eq 80

emillerpdx Thu, 07/02/2009 - 08:14

If I'm understanding that ACL rule, it means "allow requests to from outside".

Or I could read it could mean "allow requests from to pass through on port 80 to whatever machine on the inside VLAN it wants."

Thanks for the clarification, I'm still wrapping my head around ACLs...

Collin Clark Thu, 07/02/2009 - 08:21

Think of it this way. Th static creates the road for travel. In this case we build a road from the public IP to the private IP on interstate (port) 80. Now we add the ACL which is the cops on the road. In the previous example, the cops only allow to get on the road to travel to the inside IP.

The static does not allow access to all servers on the inside, just the one in the static command. The ACL reading always has source IP first, then destination IP, followed by the port.


This Discussion