05-01-2014 01:42 AM
Hi,
I have ASA5505 , connected to the WAN on port 0 (called Vlan2), and connected to my development LAN on port 7 (Called Vlan1).
I want to add DMZ, and I connected switch and servers to port 3, and called it Vlan3.
this is my settings:
interface Vlan1
nameif inside
security-level 100
ip address x.x.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.3.1 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 51
ip address x.x.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 3
!
also, I added DYNAMIC NAT rule to the DMZ interface , and STATIC POLICY NAT rule so all the HTTP and HTTPS connections to the x.x.3.3 (the Blog external IP address) will forward to x.x.2.3 (Blog internal IP).
I can connect to the web site outside the world, but i cannot connect to it from my LAN (Vlan1) - ping or ssh to x.x.2.3 is not available, and also ping or ssh to the Vlan3 interface x.x.3.1 (the ASA ip on Vlan3).
Do you have any idea how can I fix it?
Thanks.
05-02-2014 03:50 PM
Licensing is your issue.
interface Vlan3
no forward interface Vlan1
That means no traffic back to VLAN 1.
Get a security plus license.
Good luck
05-03-2014 11:05 PM
Is there a way to enable communication from VLAN1 to VLAN3 (so Vlan1 will initiate the communication) with specific NAT rules without buying the Plus license? I understood that "no forward int vlan1" is to prevent from Vlan3 to init the connection to Vlan1, no?
Thanks
05-06-2014 08:52 AM
Even if you initiate the connection from VLAN 1, it will not allow traffic back from VLAN 3
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: