I've got an ASA 5505 here with a base license, configured with the usual Outside, Inside, DMZ configuration. The 'no forward' is activated from DMZ to Inside (so that connections can't be initiated from DMZ to Inside). The intended function of the DMZ is changing and now I want to change the config so that the 'no forward' is activated from Inside to DMZ.
Basically I want to allow machines inside DMZ to contact specific addresses in Inside. It is no longer important to allow connections in the opposite direction. My problem is when trying to change the settings. If I try to remove the old 'no forward' first, I get the error 'Cannot configure this command while using 3 or more interfaces' because the base license requires that with 3 interfaces, one 'no forward' must be activated somewhere. If I try to add the new 'no forward' first, I get the error 'Only one no forward command is allowed on an interface' Since 2 out of 3 interfaces are used in the current 'no forward', there's no way for me to even set up a temporary one as a workaround. So, I want to move from one valid configuration to another, but due to it being a two-step process, I'm stuck where I am. Can anyone offer a solution, aside from completely redoing both the Inside and DMZ interfaces from scratch?
The base licence limits this by design. Simplest solution - upgrade to a plus licence - it's fairly cheap for the ASA5505.
(quick google indicates less than $500 no discount) You can initiate connecitons from Inside DMZ. So maybe you could pull rather than push the info? You could try deleting the dmz interface/config completely then create again and use the no forward to the outside. I'm unsure if this will work or not. It would mean the DMZ cannot acces the internet! Otherwise it may be possible to completey reconfigure turning it around so the outside is the dmz etc but then you will need manual ACLs and NAT/PATs as the default security levels would not work for you.
M@ttshaw wrote: The base licence limits this by design. Simplest solution - upgrade to a plus licence - it's fairly cheap for the ASA5505. (quick google indicates less than $500 no discount) You can initiate connecitons from Inside DMZ. So maybe you could pull rather than push the info? You could try deleting the dmz interface/config completely then create again and use the no forward to the outside.
I'm unsure if this will work or not. It would mean the DMZ cannot acces the internet! Otherwise it may be possible to completey reconfigure turning it around so the outside is the dmz etc but then you will need manual ACLs and NAT/PATs as the default security levels would not work for you. The point is that the basic license does cover the configuration I'm trying to get to - just not the steps to get there. I want the no-forward to be from Inside to DMZ.
The Hunter Full PC Game Overview. As of 3 June 2013 all hunting reserves can be visited and played by free-to-play users of the game. The Hunter, free and safe download. The Hunter latest version: Free Online Game for Hunting Fans. The Hunter is being hailed as the most realistic hunting game to hit. The hunter 2013 pc game. Explore 11 reserves and hunt 39 unique species, from waterfowl to big game, using over 80 diverse weapons. Play alone or in multiplayer with up to 7 friends. Feb 17, 2013 hi all this footage is me ronMctube hunting red deer on the Hunter pc video game. All these red deer where.
Preferably without having to delete and fully reprogram any zones.
I've inherited the support of a Cisco ASA 5505 with a Base License. I had set up / supported a PIX 525 cluster (with full / Enterprise License) years ago, so I'm extremely familiar with concepts.
The device has an Inside and Outside interface of course, and I need to create a 3rd interface (a DMZ) to attach to a router, which is attached to a frame-relay link. When I try to use the nameif command, I get: ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a 'no forward' command on this interface or on 1 interface(s) with nameif already configured. Someone on the Internet said that in order for this to work, you have to set up some sort of forwarding, where certain interfaces can only talk to other interfaces etc etc.apparently a limitation of this Base License?
I'd like to create a DMZ with its own IP subnet where I can route packets to this router that's attached frame-relay. When doing this on my PIX525 cluster, I had Inside, Outside, and two DMZs, and it was easy as pie. PLUS: I'll also need to configure 'ASA/PIX 7.x: Redundant or Backup ISP Links', as the PDF says. Is this a total impossibility with the Base License? How screwed am I?
See here: From it: Cisco ASA 5510 Security Plus license (provides Active/Active and Active/Standby high availability, increased session and VLAN capacities, and additional Ethernet interfaces) Wow, the 5510 ships with ports disabled? I guess the 5505 (what I'm using) is meant to double as a switch for some companies, but still.
I got the security plus for mine mostly for extra VLAN, as all it could do out of the box was outside, inside, and a sort-of DMZ. It did give me high availability but I don't have any use for it. From: 'Overview of Device Features Differences between Base License and Security Plus License The 5500 series comes in a variety of models but we are going to be focusing on the 5505 model, released in 2006. The 5505 model comes in two separate licenses. These licenses are the base and the security plus.
Both offer 150 megabits per second throughput, a maximum of 25 SSL VPN user sessions, and a maximum encrypted VPN throughput of 100 megabits per second. However, the security plus license has additional features. For example, it supports up to 25,000 maximum firewall connections whereas the base license only supports a maximum of 10,000.
It also supports a maximum of 25 site-to-site and remote access VPN sessions and the base license supports a maximum of 10. It should be noted that both licenses initially only support two VPN connections( 2).
The security plus license also allows for a maximum of 20 virtual interfaces, commonly referred to as VLANs, with trunking enabled, and the base license supports a maximum of three. Unfortunately, neither of the licenses supports intrusion prevention, content security (which includes antivirus, anti spyware, and file blocking), or VPN clustering and load balancing. 'A major difference between the two licenses is that the base license does not allow traffic to be forwarded from one VLAN to another; this restriction is removed in the security plus license.
However, the base license does allow that particular VLAN to respond to requests. Another way of explaining this restriction is that there are two normal zones and one restricted zone that can only communicate with one of the other zones( 2). This can potentially create problems when trying to implement a demilitarized zone (also known as a DMZ) as will be discussed in a later section.
This device also implements URL Filtering, Secure Desktop, IP Auditing, and can use certificates for identification.' How do you have your NAT rules and ACLs configured? Your http requests from outside need to know where to go once they hit your ASA's outside interface. If you're NAT/PAT rules and ACLs aren't configured properly, those http requests don't know where to go and will never reach your DMZ web server. That's my guess, seeing as though we don't know how your ASA has been configured. Gander at this article a bit and compare how you have your DMZ built. The Security Plus license enables the 5510 to provide up to 100 VLANs (instead of 50 with the basic license), upgrades two of the interfaces on the back of the device to Gigabit Ethernet (instead of no Gigabit interfaces with the basic license), allows a maximum of 130,000 concurrent firewall connections (instead of 50,000 with the basic license), allows a maximum of five security contexts and allows for VPN clustering and load balancing.
Cisco Asa License
None of that should be affecting your ability to reach your DMZ web server.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |