DMZ issues in ASA 5505 Firewall

Dawood Khan · ‎02-02-2014

hi , i have asa 5505 firewall with ASA5505-UL-BUN-K9 license i have problem with DMZ. I am not able to create dmz. please suggest me what i need to do in order to be able to configure dmz. should i need to upgrade the license. please suggest.

Jouni Forss · ‎02-02-2014

Hi,

If I am not mistaken even though you have an Unlimited User licensed ASA5505 you still lack the additional Vlan support that the Security Plus License would provide.

Though with your current license you should be able to create 3 Vlan interfaces of which 2 would be normal Vlan interfaces and 1 a DMZ (resticted) Vlan interface.

If you have for example "inside" and "outside" interface currently and want to create a "dmz" interface then you would have to first create the 3rd Vlan interface and then choose towards which existing interface the connections should be disabled (this is because its a resticted Vlan interface)

Lets say you have Vlan2 for "outside" and Vlan1 for "inside" and create a new Vlan3 for "dmz" you would have to do this

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address

You can naturally confirm the Vlan support on the ASA currently with the command

show version

Hope this helps

- Jouni

Dawood Khan · ‎02-02-2014

First of all thanks for your response. yes you are right i have ASA5505-UL-BUN-K9 license. if i buy ASA5505-SEC-BUN-K9 License than how many vlan it will provide.

Julio Carvajal · ‎02-02-2014

Hello Dawood,

If you obtain the security Plus License you will be able to use up to 20 VLANs on your ASA Firewall having the DMZ Restricted advertisement fade away

I hope this answers your question, any other bring it on bud

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dawood Khan · ‎02-03-2014

thanks

Julio Carvajal · ‎02-03-2014

Hello Dawood,

My pleasure.

Do u have any other question? Otherwise u can mark Jouni's and my answers as valid.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎02-02-2014

Hi,

Is the currently licensed firewall something that you have had for sometime or is it a new purchase?

Just wondering as it would seem unreasonable to just have bought something and then having to get a new license. Just wondering if you can somehow avoid spending extra money if this is a new purchase that wasnt what you were actually looking for.

You can check this link for the differnent options the ASA5505 has

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

You can also check this link for all the available licensed options on the ASA5505

http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html#wp2124788

This link contains also information on the ASA models

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

So essentially you would get 20 Vlan interfaces instead of 3 and also support for Trunking which would let you use a single physical link for several Vlans (if you wanted that is)

Hope this helps

- Jouni

Dawood Khan · ‎02-03-2014

thanks