cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
740
Views
8
Helpful
9
Replies

ASA5505 basic lic-DMZ to outside access

asoka
Level 1
Level 1

I have a new 5505 with basic license, and I setup DMZ as security 50, inside to out side no issues.

restricted access from DMZ to inside (that satisfy the license limitation), but I should be able to access internet(outside) from DMZ am I corrct.But I can't.

I dont have ACLs and I have

global (outside) 1 with interface

nat (DMZ) 1 with "DMZ subnet"

My understanding is of the asa and pix is, this should work.

Am I doing any thing wrong here, pls advise.

9 Replies 9

indra
Level 1
Level 1

it must be the ACL, how you are restricting access from DMZ to inside. there must be a acl for the dmz interface to restrict traffic if i am not wrong allow traffic there towards internet and you will be all set to go.

Collin Clark
VIP Alumni
VIP Alumni

Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#ThirdVLAN

Hope it helps.

Thanks for quick post, I read all about it, but I dont know if

no forward interface vlan command

prevent forwarding packet to outside interface, my restricted interface would be from DMZ to inside.

Cos I dont have ACL configured, I would assume traffice should allow from DMZ to outside, is it so

Can you post your config and a show version?

Assuming you have this configuration:

interface vlan1

nameif inside

interface vlan2

nameif outside

interface vlan3

nameif DMZ

If you want the DMZ to have Internet, but no access to inside, then you configure it this way:

interface vlan3

nameif DMZ

no forward interface vlan1

It wasn't clear if that's what you did or not...

Thanks for th epost, this is the config

I am not sure it need a ACL to allow traffic out of DMZ to outside when u have "no forward interface vlan1" command, interesting though I can see the DNS resolution in the browser bottom bar when I try to go to a web site.

ASA Version 8.2(1)

!

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1xx.1xx.213.142 255.255.255.240

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name tagitmobile.com

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1xx.15xx.213.129 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

!

dhcpd address 192.168.3.10-192.168.3.31 dmz

dhcpd dns 203.116.1.78 203.116.1.94 interface dmz

dhcpd domain tagitmobile.com interface dmz

dhcpd enable dmz

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

You do need an ACL on the DMZ interface.

access-list dmz_access extended permit tcp any any eq 80

access-list dmz_access extended permit tcp any any eq 443

access-list dmz_access extended permit udp any any eq 53

access-group dmz_access in interface dmz

Try adding this, try surfing the internet, and check the logs.

jdlampard
Level 1
Level 1

I believe you're missing a global statement for the DMZ.

What does the log show??

Hi, Thanks for reply, this customer installed a interim solution until they receive security plus license,

But, the single global statement is enough for both inside and dmz isn't it.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

When I get a chance to test this asa I will update the entry here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: