Creating a DMZ with a Cisco ASA 5505
Creating a DMZ on an ASA is an easy way for small business clients to offer internet access to workers who sub lease office space from without granting access to the company server or other network resources. One only needs to add a few lines to a standard configuration.
- Telnet into your ASA and enter the enable mode.
- Create a new VLAN. This articles assumes that the VLan 2 is facing the internet and Vlan 1 is the inside interface.
enter the configuration terminal by typing:
ASA#: conf t
create the vlan:
ASA(config)# int vlan3
turn off interface forwarding:
ASA(config-if)# no forward interface Vlan1
Name the vLan:
ASA(config-if)# nameif dmz
Set Security level:
ASA(config-if)#security-level 50
Give IP Address:
ASA(config-if)#ip address 192.168.xx.1 255.255.255.0
Exit vlan interface configuration:
ASA(config-if)#exit
- link port 7 of the firewall to the DMZ (note that by default it is linked to the inside interface)
conifigure the switch port:
ASA(config)# interface Ethernet0/7
link the switchport to the vlan
ASA(config-if)# switchport access vlan 3
ASA(config-if)# exit
- Set up DHCP and DNS:
ASA(config)# dhcpd address 192.168.60.100-192.168.60.150 dmz
ASA(config)# dhcpd dns 4.2.2.1 interface dmz
ASA(config)# dhcpd enable dmz
- Set up Network Address Translation:
ASA(config)# nat (dmz) 1 0.0.0.0 0.0.0.0
- Don’t forget to:
ASA# write
