cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
548
Views
0
Helpful
3
Replies

ASA 5505 DMZ Vlan

swashbuckler
Level 1
Level 1

I have a base license and created a DMZ vlan 3.

Problem I have is I cannot communicate between my networks and I cannot get to the outside on vlan 3 (DMZ)

Ethernet0/0 outside

Ethernet0/1 inside Computer 1  10.200.1.248

Ethernet0/2 DMZ Computer 2 172.16.17.15

Ethernet0/3 inside Computer 3 10.200.1.249

Computer 3 can ping computer 1

Computer 1 cannot ping computer 3

Computer 2 cannot ping computers 1 and 3

Computers 1 and 3 cannot ping computer 2

interface Vlan1
nameif inside
security-level 100
ip address 10.200.1.241 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 172.16.17.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network DMZ_outside

access-list outside_access extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 0.0.0.0 0.0.0.0
static (DMZ,outside) 172.16.17.0 255.255.255.0 netmask 255.255.255.255
access-group outside_access in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.200.1.240 255.255.255.240 inside

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5

ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 75.75.75.75
dhcpd auto_config outside
!
dhcpd address 10.200.1.242-10.200.1.250 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username rignetadmin password AJ8NEgTh4zmR7lck encrypted privilege 15

pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:9b9d69fbcc9f7a38b081fac96038ae5e
: end

Thanks in advance for any help,

Bobby

1 Accepted Solution

Accepted Solutions

You can can create 3 VLANs when running a base license but the 3rd VLAN will not be able to communicate with anything else. for this to work you need to upgrade to a security plus license.

If you issue the show version command you will see that the VLAN section of activated features says restricted...or something similar

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

You can can create 3 VLANs when running a base license but the 3rd VLAN will not be able to communicate with anything else. for this to work you need to upgrade to a security plus license.

If you issue the show version command you will see that the VLAN section of activated features says restricted...or something similar

--
Please remember to select a correct answer and rate helpful posts

That I know, i thought traffic is restricted to vlan1 from dmz but not from vlan1 to the dmz

Bobby

Here is an update:

disregard the communication of the computers.

I do have the DMZ access to the outside now.

But I do not have access from inside vlan1 to the DMZ vlan3.

Bobby

Unfortunately that is not the case.  with the base license there can only be 2 active VLANs at any one time.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: