Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5505 and DMZ

I am very familiar with the PIX, but new to ASA5500's.

I have a company that is looking to have a DMZ with mail, and web servers. The connection to the Net is a T1.

In the PIX days, I have no choice but to use a 515 with DMZ.

My understanding now is that I can have this on an ASA5505 with the Security Plus option to have a DMZ.


1. Is this the right assumption that I can get an ASA5505 with Security Plus for a full DMZ?

2. How many DMZ interfaces? I really only need one and put a switch behind it

3. Does the ASA5505 allow VPN tunnels to be established to it, and also allow Internet access through the same interface? I know in the PIX, that was not allowed.


New Member

Re: ASA5505 and DMZ

Well I know that Security Plus allow you to have dmz but i'm not 100% that you can have dmz'S.

I have an ASA5505-50-BUN-K9 running with 3 vpn tunnels all my users can use the internet at the same time with no problem.

Cisco Employee

Re: ASA5505 and DMZ

Hi -

Let me try to help.

Q1 - Yes

Q2 - Security Plus license provides 20 vlan interfaces. If you use 1 for outside, 1 for inside, that leaves you 18 left to do what you'd like to. Obviously, you would need to trunk to a switch to use more vlans than the included 8 interfaces.

Q3 - Yes, so does the Pix. Both the ASA and the Pix need "same security level traffic" enabled. The ASA/Pix code denies traffic between the same security level by default, which is the case when VPN users attempt to HairPin and go back to the internet through the same interface they terminate on.

Let us know if you have follow up questions.



CreatePlease to create content