1) which license do I then need?

You will need the Security Plus license

2) is it possible to just buy the license. I see lots of bundles...

Yes it is possible to buy just the license...and not the bundle.  You will need to contact your local Cisco partner for this, as you can not buy the license directly from Cisco.

--

Please remember to select a correct answer and rate helpful posts

Just to test. I have an ftp- and a www-server on the 192.168.1.8-server (which is on the inside). Would it be possible to change the settings on the fw to check if I can reach that server instead? Or wouldn't that matter at all?

Just to clarify the matter.

Host-server has two nics, one with 192.168.1.8 (eth0) and the eth1 with 192.168.2.8. I have set up one ftp-server with ip 192.168.2.101 and one web-server with 192.168.2.100.

I have set up port-forwarding and allowed for any traffic in ip-tables on the host-machine.

of course you can add rules for the servers off the 192.168.1.8 port...but I do not think you will get a different result.  If you have any spare ports on the ASA you could configure a port in VLAN3 and connect a PC to it, give it an IP within the range of the web server and see if you can first ping the webserver, and then try to reach the webpage from that PC.  If you are unable to ping the webserver IP and/or unable to reach the webpage I would think there is a problem with the bridging between the virtual server and the host physical port.

--

Please remember to select a correct answer and rate helpful posts

Thanks for that suggestion. I'll try that approach tomorrow with a laptop I have hanging around.

Trond

So I have now a laptop set up with 192.168.2.102

nic is set up with:

address 192.168.2.102

gateway 192.168.2.1 (which I noticed the dmz-sone was set up with)

and then the rest.

Default route was set up to 192.168.2.1

I can ping the asa 5505, but the machine cannot connect to outside network (pinging 8.8.8.8 is impossible)

(dns-nameservers on the laptop is set to 8.8.8.8 8.8.4.4)

This is the current configuration:

: Saved
:
ASA Version 8.4(2) 
!
hostname fw
domain-name inside-sport.no
enable password m6c6UkyG/paoZ2LZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 300
 speed 100
 duplex full
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.x.xxx.xx 255.255.255.252 
!
interface Vlan300
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 192.168.1.8
 name-server 193.75.75.75
 name-server 193.75.75.193
 name-server 8.8.8.8
 domain-name inside-sport.no
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside-net
 subnet 192.168.1.0 255.255.255.0
object network dmz-webserver
 host 192.168.2.100
 description Web Server Host Object
object network dmz-ftpserver
 host 192.168.2.101
 description FTP Server Host Object
object network DMZ.net
 subnet 192.168.2.0 255.255.255.0
object service FTP
 service tcp source eq ftp 
object service WWW
 service tcp source eq www 
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network VPNUSERS
 subnet 10.10.10.0 255.255.255.248
object-group network obj_10.10.10.0_16
 network-object 10.10.10.0 255.255.255.248
object-group network obj_192.168.1.0_24
 network-object 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq www 
access-list outside_access_in extended permit tcp any host 192.168.2.101 eq ftp 
access-list split_tunnel_acl standard permit 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool client_pool 10.10.10.1-10.10.10.10 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (dmz,outside) source static dmz-webserver interface service WWW WWW
nat (dmz,outside) source static dmz-ftpserver interface service FTP FTP
nat (inside,outside) source static obj_192.168.1.0_24 obj_192.168.1.0_24 destination static obj_10.10.10.0_16 obj_10.10.10.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network inside-net
 nat (inside,outside) dynamic interface
object network VPNUSERS
 nat (outside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.x.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec authentication-server
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac 
crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
(REMOVED)
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
crypto ikev1 enable outside
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside

dhcpd dns 192.168.1.1 193.75.75.75
dhcpd domain inside-sport.no
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.79 inside
dhcpd dns 192.168.1.1 interface inside
dhcpd domain inside-sport.no interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_acl
username admin password xxxxxxxxxxxxxxxx encrypted privilege 15
username trond password xxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN-INSIDE-SPORT type remote-access
tunnel-group VPN-INSIDE-SPORT general-attributes
 address-pool client_pool
 default-group-policy ipsec_ra_policy
tunnel-group VPN-INSIDE-SPORT ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
no asdm history enable

So I need to change these settings then?

object network dmz-webserver
 host 192.168.2.100
 description Web Server Host Object
object network dmz-ftpserver
 host 192.168.2.101
 description FTP Server Host Object
object network DMZ.net
 subnet 192.168.2.0 255.255.255.0

And I have these NATs defined:

nat (dmz,outside) source static dmz-webserver interface service WWW WWW
nat (dmz,outside) source static dmz-ftpserver interface service FTP FTP

I have since this last message changed route on the servers from 192.168.2.8 to 192.168.2.1 (fw).

This change made it possible to get access to the www-server, and maybe to the ftp-server (I am getting some connection-errors, so I am not sure).

They do not, how ever, have access to the internet, so I have to change something I believe.

If I change the route to 192.168.2.8 the servers get access to the internet, but then no one from outside get access to the www-server.

so I need to change these settings then?

Not necessarily, The reason your test PC was unable to reach the internet is because there is no dynamic NAT to translate the DMZ network to a public IP.  The static IPs allow users on the public network to access that single server using the configured port...in your case HTTP and FTP.  The commands I posted earlier will allow machines on the DMZ network to reach the internet...if that is required.

But were you able to access the WWW server and FTP server from the test PC?  Were you able to ping 192.168.2.8 (host machine)?  If you were able to ping the host machine and not the virtual machines, then there is a bridging problem between the virtual machines and the host NIC.

--

Please remember to select a correct answer and rate helpful posts

I will test what you are saying some day in the future.

I have now added the nat (dmz,outside) dynamic interface to the DMZ.net object. Now the FTP-server can reach the internet. And I can also reach the FTP-server from the outside.

I am marking this thread/task as solved.

I will post the configuration at the beginning of the thread in case someone else has the same setup.