10-01-2009 03:43 AM - edited 03-11-2019 09:21 AM
I have a new 5505 with basic license, and I setup DMZ as security 50, inside to out side no issues.
restricted access from DMZ to inside (that satisfy the license limitation), but I should be able to access internet(outside) from DMZ am I corrct.But I can't.
I dont have ACLs and I have
global (outside) 1 with interface
nat (DMZ) 1 with "DMZ subnet"
My understanding is of the asa and pix is, this should work.
Am I doing any thing wrong here, pls advise.
10-01-2009 05:33 AM
it must be the ACL, how you are restricting access from DMZ to inside. there must be a acl for the dmz interface to restrict traffic if i am not wrong allow traffic there towards internet and you will be all set to go.
10-01-2009 05:50 AM
Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.
Hope it helps.
10-01-2009 06:28 AM
Thanks for quick post, I read all about it, but I dont know if
no forward interface vlan command
prevent forwarding packet to outside interface, my restricted interface would be from DMZ to inside.
Cos I dont have ACL configured, I would assume traffice should allow from DMZ to outside, is it so
10-01-2009 07:58 AM
Can you post your config and a show version?
10-01-2009 03:41 PM
Assuming you have this configuration:
interface vlan1
nameif inside
interface vlan2
nameif outside
interface vlan3
nameif DMZ
If you want the DMZ to have Internet, but no access to inside, then you configure it this way:
interface vlan3
nameif DMZ
no forward interface vlan1
It wasn't clear if that's what you did or not...
10-01-2009 08:01 PM
Thanks for th epost, this is the config
I am not sure it need a ACL to allow traffic out of DMZ to outside when u have "no forward interface vlan1" command, interesting though I can see the DNS resolution in the browser bottom bar when I try to go to a web site.
ASA Version 8.2(1)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1xx.1xx.213.142 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name tagitmobile.com
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1xx.15xx.213.129 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
!
dhcpd address 192.168.3.10-192.168.3.31 dmz
dhcpd dns 203.116.1.78 203.116.1.94 interface dmz
dhcpd domain tagitmobile.com interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
10-02-2009 05:28 AM
You do need an ACL on the DMZ interface.
access-list dmz_access extended permit tcp any any eq 80
access-list dmz_access extended permit tcp any any eq 443
access-list dmz_access extended permit udp any any eq 53
access-group dmz_access in interface dmz
Try adding this, try surfing the internet, and check the logs.
10-08-2009 12:16 PM
I believe you're missing a global statement for the DMZ.
What does the log show??
10-08-2009 07:35 PM
Hi, Thanks for reply, this customer installed a interim solution until they receive security plus license,
But, the single global statement is enough for both inside and dmz isn't it.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
When I get a chance to test this asa I will update the entry here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: