Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5505

I have a Cisco ASA 5505 as im trying to set up with the following scenario:

I need eth0/0 - Outside that get its IP from a DCHP withing my ISP’s net

Then I need eth0/3 - Inside that run DHCP – with normal Internet access and normal LAN access. This should use eth0/3 through eth0/8 since the last two Ethernet ports has PoE. This way I can use the last two ports for the Cisco WIFI radios with PoE within my LAN. Third I need a eth0/2 – DMZ on the net where I can host two servers. One TS3 server with port forwarding : Default voice port (UDP): 9987, Default filetransfer port (TCP): 30033,
Default serverquery port (TCP): 10011
. And a BHD server with port forwarding Default game port (UDP): 17479, Remote adminport (UDP): 31000.

I don’t have much experience with ASA but I know how to “paste” a config into the consol (Telnet) and I have checking around a bit in the ASDM (without luck in this scenario). Is there anyone that can help me out in this matter?


Re: Cisco ASA 5505


You're talking about using three interfaces on the ASA 5505.

If the ASA has a base license you only have 2 real interfaces (inside and outside), you do have a DMZ but limited.

If the ASA has a security plus license, then you can fully use the 3 interfaces.

The ASA 5505 works with VLANs, so you group the physical ports into the appropiate VLAN, where the VLANs are the actual interfaces (outside, inside and DMZ).


Community Member

Re: Cisco ASA 5505

The ASA has a security plus license so this isnt the issue. The issue is that i really aint into the ASA quite yet. Im concentrating on swithes for now so i need help to set up the ASA. Dunno where else to turn...

Re: Cisco ASA 5505

interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

interface vlan 1
nameif inside
security-level 100
ip address 192.168.1.x

interface vlan 3
nameif dmz
security-level 50
ip address 10.1.1.x

interface fas0
no shut
switchport vlan 2

interface fas1
no shut
switchport vlan 1

interface fas2
no shut
switchport vlan 3

To create access-lists and NAT and apply it to the correct interfaces as well.

The above is to get you started.


Community Member

Re: Cisco ASA 5505

Thank you very much Federico.

Just one more question, the interface fas1 command? this i am unfamiliar with, I thought it should be interface eth0/x.

Can u explain this command for me?

Community Member

Re: Cisco ASA 5505

Okei, i used the interface eth0/x and i now have managed to get inside, outside and DMZ interfaces to work. I've got normal internet access from both inside and DMZ. Now i need to make the rules for the port forwarding on the DMZ interface. Should i use NAT, PAT or ACL for this?

Re: Cisco ASA 5505

For the rules to the DMZ...

For traffic coming from the outside to DMZ, you require a static NAT and ACL:

static (dmz,out) public_IP real_IP

access-list outside permit ....

access-group outside in interface outside

For outbound traffic from DMZ, is permitted by default, so there's no need for ACL.

However, if you need to send traffic from DMZ to inside, you require an ACL.

This is because trafic from a higher-security flows to a lower-security by default but the other way around requires an ACL.


CreatePlease to create content