Asa 5505 No Dmz Name If

Asa 5505 No Dmz Name If 7,4/10 2587 votes

I know just enough of the Cisco CLI to make me dangerous. Here's the situation: I have an ASA5505 with DMZ (10.10.10.X) and Inside (192.168.0.X) Vlans. I'm running a couple servers on a block of outside IPs (1.2.3.X)

From Inside, I can't talk to my DMZ machines. I can talk to the Outside address which is then properly translated to the internal server (is this called hairpinning?) but I want to be able to talk to DMZ addresses directly.

A labor of love? 5th lord in the 11th house natal youtube.

What am I missing here? Thanks in advance for anyone who's willing to advise!

I have an ASA 5505 running v8.4. I have one static IP that my ISP gives me and I need to use that for my INSIDE network as well as my DMZ. This becomes a PAT issue as I need some ports to terminate in the DMZ, and some to terminate in the INSIDE interface.

Justin Best
Justin BestJustin Best

3 Answers

(i know this is more than a year old, but hope it will be useful to others)

I think you have the ASA 5505 with Basic license. Fallout 4 welcome to boston video. The basic license only allow 2 full vlans and the third has to be restricted with this command 'no forward interface VlanX' and that is why you cannot remove it.


Read this from the Cisco help: Soul blade special moves.

With the Base license, you can only configure a third VLAN if you use this command to limit it.

Asa 5505 No Dmz Name If I M

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use this option on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a name, be sure to configure this setting before setting the name on the third interface; the ASA does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505.

Fahad AlduraibiFahad Alduraibi

There are a couple of issues.

  1. ICMP is blocked by the ASA interface by default
  2. You cannot talk to a higher security-level interface from a lower security level interface.

Although this is for Cisco PIX, this link should still be of some use to you.

Asa 5505 No Dmz Name If You Have

Chris DixChris Dix

If you configure 'same-security permit inter-interface' and have nat enabled on an interface than you must use nat between the interfaces of the same security-level. Add the following to your config:

access-list nat_inside_dmz extended permit ip
access-list nat_dmz_inside extended permit ip
nat(inside) 0 access-list nat_inside_dmz
nat(dmz) 0 access-list nat_dmz_inside
same-security permit inter-interface
no static (inside, dmz) netmask

Cisco Asa 5505 Manual


Not the answer you're looking for? Browse other questions tagged cisconatcisco-asa or ask your own question.

I have an ASA 5505 with the security plus package and would like to setup a DMZ for an ISA server and a web server. Right now I have been able to setup a vlan for the dmz, was able to setup an external ip address for one of the dmz servers, and able to get out to the internet on both dmz servers. The problem I'm having is pinging either dmz servers from the inside network and pinging the inside from the dmz network. Of course I am also not able to connect to any of the websites on the web server from the inside. Your help would be greatly appreciated.