What I want to do is put employees on one VLAN, wired and wireless. Then make another VLAN or use the DMZ VLAN, that would be just wireless and put visitors or Vendors on that VLAN.

Thanks, Pat

Someone posted this in a different discussion but, I need some clarity.

"If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the security appliance does not allow  three fully functioning VLAN interfaces with the Base license on the ASA  5505 adaptive security appliance."

Does this mean I can create 3 VLANs but, the DMZ VLAN will only be able to communicate with the OUTSIDE VLAN?

As you said earlier, without the Security license I can't create different subnets but if the Inside will not be able to communicat with the DMZ, I should be fine. I want to keep the two seperate. I just need to make sure the Inside and the DMZ will be able to go to the Internet.

Thanks, Pat

Hi

Yes that is correct

if you have 3 vlans

Inside

Outside

Dmz1

You can not have contact with all three interfaces.

so you will have to choose

Either Inside,Outside and Inside DMZ can speak to eachother but then DMZ and outside can not speak to eachother

Or Outside, Inside and Outside DMZ can speak then DMZ and Inside can not speak to eachother

Or DMZ, and Outside DMZ and Inside can speak then Inside and outside can not speak to eachother

I do not know why cisco have choosen this and i truly think it is deceptive to state that you have a dmz if you can not speak to both outside and inside.

I have had customers who bought the 5505 and thought they could use a DMZ, but it is not since it can not speak to the inside. They where not happy when i had to explain that that was not possible. I do understand that it is a "definition thing" ie what defines a dmz. But alas this is one thing that I am sorry to say that I think cisco have handled in a poor manor. Cisco would have lost nothing to let the dmz be a true dmz that can be used for both inside and outside use.

Good luck

HTH

Thanks for the response Hobbe,

Sorry but, I'm still a little confused.

So, I can have an OUTSIDE interface an INSIDE interface and a DMZ interface.

Can I have the INSIDE speak with the OUTSIDE and the DMZ speak with the OUTSIDE at the same time? (I'm not concerned about the DMZ speaking to the INSIDE.

If this is possible, will I be able to configure DHCP to hand out addreses for the DMZ and INSIDE even though they will be in the same subnet?

And, will I be able to change the security of the DMZ to 100 - like the INSIDE?

Thanks, Pat.

Can I have  the INSIDE speak with the OUTSIDE and the DMZ speak with the OUTSIDE at  the same time? (I'm not concerned about the DMZ speaking to the INSIDE.

This is correct. Like hobbe said, you can't have a fully routable dmz though (dmz -> outside and dmz -> inside).

I don't know if you can set up the same security level on the DMZ as the inside interface, but there's really no reason to. The security levels in Pix/ASAs are able to talk from higher to lower with no restriction, but not the other way around. Your inside would be protected from the outside interface (0 -> 100) and your dmz interface would be protected from your outside (0 -> 50). Your inside would be protected from both your dmz (50 -> 100) In order for the lower levels to speak to upper levels, you'll need acls on those interfaces to allow the traffic in.

As far as assigning different subnets, that shouldn't be a problem.

You'd assign a different dhcp pool to your nameif:

dhcpd address 192.168.1.100 - 192.168.1.150 inside

dhcpd address 192.168.2.100 - 192.168.2.150 dmz

I don't think you're going to be able to use the same subnet on both interfaces though; I've never tried that.

John

Thanks Jon

I would rather them be different subnets but, I thought I needed the security image to create different subnets? If not, that is good news!

The INSIDE is protected with 100 and the DMZ is protected with 50. Is the DMZ somehow less protected for the OUTSIDE and how?

Thanks, Pat.

Hi Patrick

Thanx for the rating.

The 100 and 50 and 0 is a totally different thing than we have discussed before.

They have to do with how the firewall handles traffic.

you can se it like this

100 is the highest number

0 is the lowest number

to go from an interface with a high number to a lower number you will do a nat

to go from an interface with a lower number to a higher number you will do a static.

to go from an interface to an interface with a number equal to eachother was in the beginning not possible you simply could not get traffic from the interfaces, but that has changed and is now possible.

so the numbers are not a number on how secure something is, it is just a way to handle traffic through the firewall.

if you open a static from internet to the dmz or the inside interface they are both as insecure or as secure.

there is no difference in the commands.

the same if you want to open traffic from the inside to the outside or from the dmz to the outside.

Same commands.

however the difference comes when you want to open something from the dmz to the inside.

That would reqire you to do the same configuration as you would from the outside.

but from the inside towards the dmz you would use the same configuration as you would towards the outside,

so all in all it is just a way to handle traffic, if the dmz is 50 or 99 or 1 there is no difference from a security standpoint in how it is handled towards the other two interfaces (outside and inside)

Good luck

HTH

The DMZ is not 'less protected', but it's your middle man between the inside and outside zones. So, in theory, it would be:

0 - less protected

50 - more protected

100 - highest protection

As for what Hobbe said, there isn't a difference if you set your security level on the outside to 10, dmz to 20, and inside to 30, the ASA uses the least number as the less protected and the highest number as the most protected. It's just common practice to have the inside zone as 100 and outside as 0.

As far as different subnets, I think you can assign a different subnet to a dmz, but you can't create more than 3 vlans. Here's a link for that.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819

You set up the security level under your vlan interface: int vlan 50 / security-level 50 / ip address x.x.x.x x.x.x.x

That would then be associated to your dhcpd pool. From the link above I copied this:

With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN.

The DMZ vlan would then only be able to talk to the outside vlan (I believe vlan 2 by default) meaning internet access only and nothing to the inside.

The link above will tell you everything you need to know about the base license. Thanks for the ratings!