Setting up a honeypot on an ASA 5505

Unanswered Question
Jul 9th, 2010

I was wondering if I could get a bit of configuration advice to add a honeypot on my 5505 (10 user base license) in my home environment.

Currently I have default vlans 1 and 2 setup for inside and outside. I would like to set up vlan 3 with restricted traffic flow so it is completed segregated from my home network but is able to access the outside interface. It is my understanding that this can be done with the base license as long as vlan 3 has Restrict Traffic Flow enabled, correct?

My plan is to use vlan 3 for the honeypot. Will I have any problems being able to block all OUTBOUND traffic and allowing all INBOUND traffic to this vlan. Should the security level be set to 50 as if it were a DMZ or should I set it at 0 to match my outbound interface?

Thanks for your help. I am brand new to the ASA. I have worked with a PIX 506E and came across the 5505 for a pretty good price so I decided to pick it up for the home and also so I can dive a little deeper into the FOS.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
saiiven07 Sat, 07/10/2010 - 02:09


   Yes, you're right. You can create a 3rd VLAN with the BASE license, but the hosts on that VLAN will only be able to fully communicate with the hosts on the OUTSIDE interface and they won't be able to access your home network(INSIDE). In order to accomplish this, you'll also have to configure the "no forward interface Vlan1" command.

   As for the security level for that VLAN, I'd set it to 50 (like you offered) and block all OUTBOUND traffic and allow all INBOUND traffic to this vlan by using access-lists.


This Discussion