Solved: Problem to Configure Cisco ASA 5505 DMZ

David Aguirre · ‎01-15-2013

Hello,

I'm configuring a Cisco ASA 5505, I configured the INSIDE and OUTSIDE, when configuring the DMZ shows me the following error:

"This Licence does not allow configuring more than 2 interface with name if and without a" no forwaded "command on this interface or on one interface. Whit nameif alredy configured".

Then I followed this guide to achieve: "https://supportforums.cisco.com/docs/DOC-22736", but when trying to connect the new interface shows me the following message: "image has a version number unkonow Which is not supported by ASDM 6.4 (5) "and stays at 11% loading.

thank you very much for helping to get set the DMZ. and solve the problems I have.

Jouni Forss · ‎01-15-2013

Hi,

There shouldnt be much to it.

First of all you need to do the following

Open ASDM and log in
Go to the "Configuration" window
Make sure that on the lower left hand side you are now on the "Device Setup" menu
Choose the "interfaces" section
Press the "Add" button on the right hand side of the ASDM window to add a new interface
IF you have some previous 3rd Interface on the ASA, remove it first by selecting the interface and then using the "Delete" button

Now when you click "Add" button you should see this window

Choose the interface from the left side that you want to attach to the new Vlan you are creating
- Use the "Add" button to add the interface. Press OK if prompted
Configure the interface name in the section "Interface name"
Configure the security-level of the interface in the "Security Level" section
Configure the IP address and network mask of the new Vlan interface in the field below
Next click on the "Advanced" tab in the upper portion of the window

Next you can do a couple of more settings before applying them all to the ASA

Choose the Vlan ID you want to use
Configure the Vlan interface to which you want to limit the connections from the created Vlan interface
- In my example case below I chose to limit connections to my Vlan1 / LAN interface

Next press "OK" and in the main window press "Apply" to apply the configurations to the ASA

In my case the CLI format configuration inserted was:

interface Ethernet0/3

switchport access vlan 30

no interface vlan20

Interface vlan30

no shutdown

no forward interface vlan1

nameif DMZ

security-level 50

ip address 10.10.234.1 255.255.255.0

Hopefully the above was helpfull

- Jouni

View solution in original post

Jouni Forss · ‎01-15-2013

Hi,

It would seem you have an ASA5505 with a Base License. You can confirm this with the "show version" command on the CLI

You CAN configure 3 Vlan interfaces on the ASA but as the error message says, BEFORE configuring the "nameif" for the DMZ interface you will first need to configure a "no forward interface Vlanx"

This basically means that without a better License you will have to limit the DMZs traffic towards 1 of the other interfaces. Typically this would be done towards your LAN interface

Configuring this restriction will mean that DMZ cant initiate connections to INSIDE. At the same time this WONT prevent INSIDE from connecting to the DMZ though.

So what you would need to do is the following

Have the "INSIDE" and "OUTSIDE" configured.
Decide to which of the above interface the "DMZ" shouldnt be able to initiate connections to. (Usual being INSIDE)
Under the DMZ "interface Vlanx" configurations configure the "no forward interface Vlanx"
- Where "Vlanx" is the Vlan interface and number of the interface to which you want to limit connections to
After the above has been configured, you can then configure the "nameif" under the DMZ interface

Hopefully the above will sort your situation. Please rate if the information was helpfull. If it answered your question, please mark the question as answered

I can't be sure what the problem with ASDM would be. I don't normally use it for configurations.

- Jouni

David Aguirre · ‎01-15-2013

Thank you very much for the reply;

As could make your solution through ASDM?

Jouni Forss · ‎01-15-2013

Hi,

There shouldnt be much to it.

First of all you need to do the following

Open ASDM and log in
Go to the "Configuration" window
Make sure that on the lower left hand side you are now on the "Device Setup" menu
Choose the "interfaces" section
Press the "Add" button on the right hand side of the ASDM window to add a new interface
IF you have some previous 3rd Interface on the ASA, remove it first by selecting the interface and then using the "Delete" button

Now when you click "Add" button you should see this window

Choose the interface from the left side that you want to attach to the new Vlan you are creating
- Use the "Add" button to add the interface. Press OK if prompted
Configure the interface name in the section "Interface name"
Configure the security-level of the interface in the "Security Level" section
Configure the IP address and network mask of the new Vlan interface in the field below
Next click on the "Advanced" tab in the upper portion of the window

Next you can do a couple of more settings before applying them all to the ASA

Choose the Vlan ID you want to use
Configure the Vlan interface to which you want to limit the connections from the created Vlan interface
- In my example case below I chose to limit connections to my Vlan1 / LAN interface

Next press "OK" and in the main window press "Apply" to apply the configurations to the ASA

In my case the CLI format configuration inserted was:

interface Ethernet0/3

switchport access vlan 30

no interface vlan20

Interface vlan30

no shutdown

no forward interface vlan1

nameif DMZ

security-level 50

ip address 10.10.234.1 255.255.255.0

Hopefully the above was helpfull

- Jouni

David Aguirre · ‎01-15-2013

thank you very much.

Everything worked perfectly and I was able to configure the DMZ, the last thing I want is to change the direction of the INSIDE default (192.168.1.1) on the other direction due to the same address the ISP Router has tried it and will not let me .

I appreciate all your help and excellent service.