ASA5505 basic lic-DMZ to outside access

Unanswered Question

I have a new 5505 with basic license, and I setup DMZ as security 50, inside to out side no issues.

restricted access from DMZ to inside (that satisfy the license limitation), but I should be able to access internet(outside) from DMZ am I corrct.But I can't.

I dont have ACLs and I have

global (outside) 1 with interface

nat (DMZ) 1 with "DMZ subnet"

My understanding is of the asa and pix is, this should work.

Am I doing any thing wrong here, pls advise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Collin Clark Thu, 10/01/2009 - 05:50

Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

Hope it helps.

Thanks for th epost, this is the config

I am not sure it need a ACL to allow traffic out of DMZ to outside when u have "no forward interface vlan1" command, interesting though I can see the DNS resolution in the browser bottom bar when I try to go to a web site.

ASA Version 8.2(1)




interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address 1xx.1xx.213.142


interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1

switchport access vlan 3


interface Ethernet0/2

switchport access vlan 3


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns server-group DefaultDNS


pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

nat (dmz) 1

route outside 1xx.15xx.213.129 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside


dhcpd address dmz

dhcpd dns interface dmz

dhcpd domain interface dmz

dhcpd enable dmz


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

Collin Clark Fri, 10/02/2009 - 05:28

You do need an ACL on the DMZ interface.

access-list dmz_access extended permit tcp any any eq 80

access-list dmz_access extended permit tcp any any eq 443

access-list dmz_access extended permit udp any any eq 53

access-group dmz_access in interface dmz

Try adding this, try surfing the internet, and check the logs.

jdlampard Thu, 10/08/2009 - 12:16

I believe you're missing a global statement for the DMZ.

What does the log show??

Hi, Thanks for reply, this customer installed a interim solution until they receive security plus license,

But, the single global statement is enough for both inside and dmz isn't it.

global (outside) 1 interface

nat (inside) 1

nat (dmz) 1

When I get a chance to test this asa I will update the entry here.


This Discussion