Cisco Support Community
Community Member

asa5505 dmz connection


I have ASA5505 , connected to the WAN on port 0 (called Vlan2), and connected to my development LAN on port 7 (Called Vlan1).

I want to add DMZ, and I connected switch and servers to port 3, and called it Vlan3.


this is my settings:

interface Vlan1
 nameif inside
 security-level 100
 ip address x.x.1.1
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.3.1
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 51
 ip address x.x.2.1
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/3
 switchport access vlan 3


also, I added DYNAMIC NAT rule to the DMZ interface , and STATIC POLICY NAT rule so all the HTTP and HTTPS connections to the x.x.3.3 (the Blog external IP address) will forward to x.x.2.3 (Blog internal IP).

I can connect to the web site outside the world, but i cannot connect to it from my LAN (Vlan1) - ping or ssh to x.x.2.3 is not available, and also ping or ssh to the Vlan3 interface x.x.3.1 (the ASA ip on Vlan3).


Do you have any idea how can I fix it?




Everyone's tags (3)
Community Member

Licensing is your issue.

Licensing is your issue.


interface Vlan3
 no forward interface Vlan1


That means no traffic back to VLAN 1.


Get a security plus license.


Good luck


Community Member

Is there a way to enable

Is there a way to enable communication from VLAN1 to VLAN3 (so Vlan1 will initiate the communication) with specific NAT rules without buying the Plus license? I understood that "no forward int vlan1" is to prevent from Vlan3 to init the connection to Vlan1, no?



Community Member

Even if you initiate the

Even if you initiate the connection from VLAN 1, it will not allow traffic back from VLAN 3

CreatePlease to create content