cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
2
Helpful
3
Replies

need a good robust ASA5505 basic license config including DMZ

asoka
Level 1
Level 1

HI, I'm looking for a good config for a ASA5505 with DMZ, but basic license. no access from DMZ to inside.

3 Replies 3

mkharban
Level 1
Level 1

Hi,

Please try the following (I am assuming that the DMZ vlan is vlan 3 and dmz physical interface is interface 3. Kindly make the necessary adjustments. Also inside interface is vlan 1 and outside interface is vlan 2 in the sample configuration):

int vlan 3

ip address x.x.x.x y.y.y.y

no forward interface vlan 1

int ethernet 0/3

switchport access vlan 3

nat (DMZ) 1 0 0

global (outside) 1 interface

Please find below the link explaining no forward interface command:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819

Hope this helps!

Thanks,

Manish

Hi Manish, Thanks for the post, but I have a problem with initiating traffic to Internet side too, I restrict traffic from DMZ to inside.

Do I need a ACL to allow traffic from DMZ to outside with no forward forward interface vlan xx

And, this customer will buy sec+ license to have more granular access control between his 5 sections, it would be much appreciate if any one could suggest a good VLAN separated config for 5505 sec+ too.

Hi,

We would not require any ACL for passing traffic from DMZ to internet unless there is an ACL already applied. In case there is, please add the following line to the same:

access-list test permit ip any any

Also please make sure that the nat and global configuration is fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: