Best Practices For DMZ Configuration With Base Licence

mfrank1976 · ‎05-25-2011

Hello:

My ASA 5505 base license allows for three VLANs, the third one can only initiate traffic to one other VLAN (as specified by no forward interface vlan <number> on the third VLAN). This doesn't mean it can't "access" the other VLAN, it just can't initiate traffic to it. A lot of people get that wrong.

Let's say you've got three VLANs, one is OUTSIDE, two is DMZ, and three is INSIDE. On the second VLAN would I enter the no forward interface as vlan 3, then set the name via the nameif command and everything will work just fine. The DMZ will not be able to initiate traffic to the INSIDE, but will to the outside, and assuming you have your ACLs and NAT set up properly, it will be able to respond to traffic from the INSIDE.

Would that be best practice or would I enter the "no forward" interface as in VLAN 1, thus is being able to respond to traffic from the outside as opposed to the inside.

I had a DMZ set up but since there was an intrusion into my network, I am building it again.

Regards,

- Mike

brquinn · ‎05-26-2011

Mike,

There isn't really a best practice for this. I would say most often people use the inside and dmz interfaces when deploying a 5505 for both home and work access. The 'no forward' command could be entered on the home network's interface to prevent it from establishing any connections into the work network. Usually both interfaces need internet access so you would not choose the outside interface as the 'no forward' interface.

Ultimately, you need to determine how you want to restrict your traffic before you can start your configuration.

Thanks,

Brendan

mfrank1976 · ‎05-26-2011

That is what I thought.

Thanks for the confirmation.

Regards,

- Mike