Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505 dmz newbie

Can't seem to figure out how to build a DMZ for our webserver. All trafic gets denied by the default incoming rule.

I want all incoming http/80 requests to the external ip ( for now) to be forwarded to the www-server in the dmz

I think i have the address translation up and running but no matter what incoming firewall rule i create, trafic gets blocked. I must be missing something obvious here..... any ideas:

ASA Version 8.0(3)


hostname *

domain-name *

enable password *



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Vlan3

nameif dmz-office

security-level 50

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5

switchport access vlan 3


interface Ethernet0/6


interface Ethernet0/7


passwd encrypted

ftp mode passive

dns server-group DefaultDNS


object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside-acl extended permit tcp any host eq www

access-list outside_access_in extended permit tcp any host eq www

access-list l2l_list extended permit ip host host

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz-office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (outside,inside) tcp www www netmask

static (dmz-office,inside) netmask

static (inside,dmz-office) netmask

access-group outside_access_in in interface outside


Re: ASA 5505 dmz newbie


Give the following command for natting the ip to

static(dmz,outside) netmask

New Member

Re: ASA 5505 dmz newbie

Does the nat routing between the VLAN's have to be up and running correctly before I use the packet tracer in the ADSM to see what packets are accepted and/or droped?

It seems like everything gets drop but the default rule

CreatePlease to create content