need a good robust ASA5505 basic license config including DMZ

Unanswered Question
mkharban Fri, 11/06/2009 - 09:42
User Badges:

Hi,


Please try the following (I am assuming that the DMZ vlan is vlan 3 and dmz physical interface is interface 3. Kindly make the necessary adjustments. Also inside interface is vlan 1 and outside interface is vlan 2 in the sample configuration):


int vlan 3

ip address x.x.x.x y.y.y.y

no forward interface vlan 1


int ethernet 0/3

switchport access vlan 3


nat (DMZ) 1 0 0

global (outside) 1 interface


Please find below the link explaining no forward interface command:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819


Hope this helps!


Thanks,

Manish



Hi Manish, Thanks for the post, but I have a problem with initiating traffic to Internet side too, I restrict traffic from DMZ to inside.


Do I need a ACL to allow traffic from DMZ to outside with no forward forward interface vlan xx


And, this customer will buy sec+ license to have more granular access control between his 5 sections, it would be much appreciate if any one could suggest a good VLAN separated config for 5505 sec+ too.

mkharban Tue, 11/10/2009 - 09:24
User Badges:

Hi,

We would not require any ACL for passing traffic from DMZ to internet unless there is an ACL already applied. In case there is, please add the following line to the same:

access-list test permit ip any any


Also please make sure that the nat and global configuration is fine.


Actions

This Discussion