09-09-2013 06:00 AM - edited 03-11-2019 07:35 PM
Dear.
We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
We really need all these interfaces.
The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
I will allow only one single port has access from DMZ to the inside, is that possible? And how?
Thanks for the feedback.
Regards.
Peter.
09-09-2013 10:10 AM
What license do you have on this ASA 5505 (A show version will be helpful)?
What do you mean by a restriction cant be disable?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-09-2013 12:14 PM
What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
router up 100 days 1 hour
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is a44c.11bb.5492, irq 11
1: Ext: Ethernet0/0 : address is a44c.11bb.548a, irq 255
2: Ext: Ethernet0/1 : address is a44c.11bb.548b, irq 255
3: Ext: Ethernet0/2 : address is a44c.11bb.548c, irq 255
4: Ext: Ethernet0/3 : address is a44c.11bb.548d, irq 255
5: Ext: Ethernet0/4 : address is a44c.11bb.548e, irq 255
6: Ext: Ethernet0/5 : address is a44c.11bb.548f, irq 255
7: Ext: Ethernet0/6 : address is a44c.11bb.5490, irq 255
8: Ext: Ethernet0/7 : address is a44c.11bb.5491, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013
09-09-2013 12:22 PM
Hello,
This is because you have a license that allow traffic from only 2 interfaces to flow without any restriction across the firewall
VLANs : 3, DMZ Restricted
So you will need to set from DMZ what would u like to access (either inside or outside) that or get the security plus license which will basically make that restriction disappear.
So what would you need the DMZ to do :
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-09-2013 12:27 PM
when I search at the reseller website, I can see a yearly renewable license named: "content security plus lisence". I that the license need?
09-09-2013 12:42 PM
L-ASA5505-SEC-PL=
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide