ASA Licensing and Interfaces VPN

bbresslin used Ask the Experts™
I currently have (2) ASA 5505's running site to site VPN.  The remote site has a base license, the site to site VPN is set up to the inside interfaces on both sides.  I also need to have access to the DMZ from the main site as well.  Since the no forward command is applied to the DMZ interface does this mean the inside can communicate with the DMZ, but the DMZ cannot initiate any communication to the LAN?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes. The base license allows only two active interfaces plus one 'restricted' interface, usually a DMZ. The restricted interface can only talk to one of the directly connected interfaces, usually the outside interface, and not any other interface.

The only way around this is to purchase the Security Plus license (to activate the unrestricted DMZ option).


so with my site to site VPN, am I able to communicate to the DMZ network at the remote from the main site?
You should be able to since the VPN comes in from the 'outside' interface and traffic going back to the VPN would leave your 5505 on the outside (albeit encrypted) interface.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial