11-30-2011 11:50 PM - edited 03-11-2019 02:57 PM
ASDM 6.4
Hello :-) I need help about ASA 5505 and DMZ, I have a Base License.
What do I need to do for access inside network to DMZ?
I successfully configure, internet Access for DZM and inside network, web server can be accessed from internet, but I have problem to configure communication from inside network to DMZ.
//Dennis
Solved! Go to Solution.
12-06-2011 06:47 AM
Hi ,
Well i donot agree with the same . If you have the current config with the base license , then the DMZ Interface can only speak to outside interface and not to VLAN1 (i.e DMZ can either communicate with the outside or inside but not both )
However if the inside interface want to communicate to VLAN 5 (DMZ ) resources i.e if inside hosts initiates a new connection to DMZ , it can certainly do so and there is no restriction for it.
interface Vlan5
no forward interface Vlan1----> This says i dont want to communicate to inside i/f
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
Regards
Ankur
11-30-2011 11:56 PM
Running config
: Saved : ASA Version 8.4(2) ! hostname qpcnet enable password Fzc1w9KayYqp2.LH encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 switchport access vlan 5 ! interface Ethernet0/4 switchport access vlan 5 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 193.15.14.7 255.255.255.192 ! interface Vlan5 no forward interface Vlan1 nameif DMZ security-level 50 ip address 192.168.2.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 object network obj_any subnet 0.0.0.0 0.0.0.0 object network speakersaid host 192.168.2.11 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit object-group TCPUDP any object speakersaid eq www pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu DMZ 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645-206.bin no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface object network speakersaid nat (any,any) static 193.15.14.11 ! nat (inside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 193.15.14.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd dns 130.244.127.162 130.244.127.170 interface inside ! dhcpd address 192.168.2.100-192.168.2.200 DMZ dhcpd dns 130.244.127.162 130.244.127.170 interface DMZ ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.36.133.17 source outside ntp server 192.36.133.25 source outside webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:6731dc1cb267c4b84442534e23801485 : end asdm image disk0:/asdm-645-206.bin no asdm history enable
12-01-2011 09:32 AM
Hello Dennis,
The problem here is that a base license on a 5505 ASA your DMZ or third vlan is restricted so it can only access another vlan.
In order for you to communicate from the DMZ to the Inside and Outside you will need the security-plus license.
Please rate helpful posts.
Regards,
Julio
12-01-2011 10:16 PM
Hello again
I do not need to access "from" DMZ to Lan... no forward interface Vlan1
interface Vlan5
no forward interface Vlan1
nameif DMZ
I need to access Vlan5 (DMZ) from my Vlan1 (inside). do I really need a security plus license for that
My web server on Vlan5 (DMZ) can access Internet, and from Internet I can access web server in Vlan5 (DMZ) on port 80 :-)
193.15.14.11
Please explaine so a child can understand ;-)
Best regards
Dennis
12-01-2011 11:39 PM
Hello Dennis,
As I told you before you will be restricted with the amount of VLANS on an ASA 5505.
You can have communication between vlan 1 and 2, but as soon as you add a third one, that vlan would be able to maintain communication with just one interface that is why is called restricted.
So if you want to allow that communication you will need to order a security plus license.
Regards,
Julio
12-02-2011 12:41 AM
OK I will try this
Im not a CLI guy so i will try to do it with ASDM 6.4
Think I need some more help where to do this in ASDM 6.4
//dennis
12-01-2011 11:43 PM
Hi Dennis
You donot need a security plus license on ASA 5505 for accessing the resources from inside to DMZ . This can be achieved by following
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,dmz) dynamic interface
Regards
Ankur
12-05-2011 04:12 AM
Hello Ankur
Can you help me where to type the lines in ADSM 6.4
//Dennis
12-05-2011 06:19 AM
Hi Dennis ,
Please go through below configuration example , which will tell you Step by step configuration of configuring NAT Rules in 8.3 via ASDM
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b1ee95.shtml
Let me know if it helps
Ankur
12-06-2011 07:31 AM
Hello :-)
My new Cisco ASA 5505 (for testing purpes) arrived to day, I will start testing tomorrow
I learn somthing new every day, thanks everybody for that :-)
//Dennis
12-05-2011 01:23 PM
Have you tried changing the no forward interface to vlan 2?
12-05-2011 11:24 PM
what do I achive with that config???
12-06-2011 06:24 AM
edit: Corrected by Ankur.
12-06-2011 06:47 AM
Hi ,
Well i donot agree with the same . If you have the current config with the base license , then the DMZ Interface can only speak to outside interface and not to VLAN1 (i.e DMZ can either communicate with the outside or inside but not both )
However if the inside interface want to communicate to VLAN 5 (DMZ ) resources i.e if inside hosts initiates a new connection to DMZ , it can certainly do so and there is no restriction for it.
interface Vlan5
no forward interface Vlan1----> This says i dont want to communicate to inside i/f
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
Regards
Ankur
12-06-2011 07:01 AM
Thanks for correcting me Ankur.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide