cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1085
Views
0
Helpful
5
Replies

ASA 5505, how to configure DMZ to Inside traffic flows

Dear.
We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
We really need all these interfaces.
The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
I will allow only one single port has access from DMZ to the inside, is that possible? And how?
Thanks for the feedback.
Regards.
Peter.

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

What license do you have on this ASA 5505 (A show version will be helpful)?

What do you mean by a restriction cant be disable?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.

So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

router up 100 days 1 hour

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is a44c.11bb.5492, irq 11
1: Ext: Ethernet0/0         : address is a44c.11bb.548a, irq 255
2: Ext: Ethernet0/1         : address is a44c.11bb.548b, irq 255
3: Ext: Ethernet0/2         : address is a44c.11bb.548c, irq 255
4: Ext: Ethernet0/3         : address is a44c.11bb.548d, irq 255
5: Ext: Ethernet0/4         : address is a44c.11bb.548e, irq 255
6: Ext: Ethernet0/5         : address is a44c.11bb.548f, irq 255
7: Ext: Ethernet0/6         : address is a44c.11bb.5490, irq 255
8: Ext: Ethernet0/7         : address is a44c.11bb.5491, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50       
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10       
Dual ISPs                      : Disabled 
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 

This platform has a Base license.

Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013

Hello,

This is because you have a license that allow traffic from only 2 interfaces to flow without any restriction across the firewall

VLANs                          : 3, DMZ Restricted

So you will need to set from DMZ what would u like to access (either inside or outside) that or get the security plus license which will basically make that restriction disappear.

So what would you need the DMZ to do :

  1. Access the Outside
  2. Access the Inside

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

when I search at the reseller website, I can see a yearly renewable license named: "content security plus lisence". I that the license need?

L-ASA5505-SEC-PL=

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card