11-05-2009 05:05 PM - edited 03-11-2019 09:37 AM
HI, I'm looking for a good config for a ASA5505 with DMZ, but basic license. no access from DMZ to inside.
11-06-2009 09:42 AM
Hi,
Please try the following (I am assuming that the DMZ vlan is vlan 3 and dmz physical interface is interface 3. Kindly make the necessary adjustments. Also inside interface is vlan 1 and outside interface is vlan 2 in the sample configuration):
int vlan 3
ip address x.x.x.x y.y.y.y
no forward interface vlan 1
int ethernet 0/3
switchport access vlan 3
nat (DMZ) 1 0 0
global (outside) 1 interface
Please find below the link explaining no forward interface command:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819
Hope this helps!
Thanks,
Manish
11-06-2009 07:12 PM
Hi Manish, Thanks for the post, but I have a problem with initiating traffic to Internet side too, I restrict traffic from DMZ to inside.
Do I need a ACL to allow traffic from DMZ to outside with no forward forward interface vlan xx
And, this customer will buy sec+ license to have more granular access control between his 5 sections, it would be much appreciate if any one could suggest a good VLAN separated config for 5505 sec+ too.
11-10-2009 09:24 AM
Hi,
We would not require any ACL for passing traffic from DMZ to internet unless there is an ACL already applied. In case there is, please add the following line to the same:
access-list test permit ip any any
Also please make sure that the nat and global configuration is fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide