topic ASA5505 basic lic-DMZ to outside access in Network Security

ASA5505 basic lic-DMZ to outside access

asoka — Mon, 11 Mar 2019 16:21:52 GMT

I have a new 5505 with basic license, and I setup DMZ as security 50, inside to out side no issues.

restricted access from DMZ to inside (that satisfy the license limitation), but I should be able to access internet(outside) from DMZ am I corrct.But I can't.

I dont have ACLs and I have

global (outside) 1 with interface

nat (DMZ) 1 with "DMZ subnet"

My understanding is of the asa and pix is, this should work.

Am I doing any thing wrong here, pls advise.

Re: ASA5505 basic lic-DMZ to outside access

indra — Thu, 01 Oct 2009 12:33:57 GMT

it must be the ACL, how you are restricting access from DMZ to inside. there must be a acl for the dmz interface to restrict traffic if i am not wrong allow traffic there towards internet and you will be all set to go.

Re: ASA5505 basic lic-DMZ to outside access

Collin Clark — Thu, 01 Oct 2009 12:50:24 GMT

Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#ThirdVLAN

Hope it helps.

Re: ASA5505 basic lic-DMZ to outside access

asoka — Thu, 01 Oct 2009 13:28:03 GMT

Thanks for quick post, I read all about it, but I dont know if

no forward interface vlan command

prevent forwarding packet to outside interface, my restricted interface would be from DMZ to inside.

Cos I dont have ACL configured, I would assume traffice should allow from DMZ to outside, is it so

Re: ASA5505 basic lic-DMZ to outside access

Collin Clark — Thu, 01 Oct 2009 14:58:23 GMT

Can you post your config and a show version?

Re: ASA5505 basic lic-DMZ to outside access

cmcbride — Thu, 01 Oct 2009 22:41:53 GMT

Assuming you have this configuration:

interface vlan1

nameif inside

interface vlan2

nameif outside

interface vlan3

nameif DMZ

If you want the DMZ to have Internet, but no access to inside, then you configure it this way:

interface vlan3

nameif DMZ

no forward interface vlan1

It wasn't clear if that's what you did or not...

Re: ASA5505 basic lic-DMZ to outside access

asoka — Fri, 02 Oct 2009 03:01:14 GMT

Thanks for th epost, this is the config

I am not sure it need a ACL to allow traffic out of DMZ to outside when u have "no forward interface vlan1" command, interesting though I can see the DNS resolution in the browser bottom bar when I try to go to a web site.

ASA Version 8.2(1)

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 1xx.1xx.213.142 255.255.255.240

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Ethernet0/2

switchport access vlan 3

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns server-group DefaultDNS

domain-name tagitmobile.com

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1xx.15xx.213.129 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd address 192.168.3.10-192.168.3.31 dmz

dhcpd dns 203.116.1.78 203.116.1.94 interface dmz

dhcpd domain tagitmobile.com interface dmz

dhcpd enable dmz

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

Re: ASA5505 basic lic-DMZ to outside access

Collin Clark — Fri, 02 Oct 2009 12:28:09 GMT

You do need an ACL on the DMZ interface.

access-list dmz_access extended permit tcp any any eq 80

access-list dmz_access extended permit tcp any any eq 443

access-list dmz_access extended permit udp any any eq 53

access-group dmz_access in interface dmz

Try adding this, try surfing the internet, and check the logs.

Re: ASA5505 basic lic-DMZ to outside access

jdlampard — Thu, 08 Oct 2009 19:16:43 GMT

I believe you're missing a global statement for the DMZ.

What does the log show??

Re: ASA5505 basic lic-DMZ to outside access

asoka — Fri, 09 Oct 2009 02:35:42 GMT

Hi, Thanks for reply, this customer installed a interim solution until they receive security plus license,

But, the single global statement is enough for both inside and dmz isn't it.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

When I get a chance to test this asa I will update the entry here.