Cisco ASA5505 DMZ setup with ASDM

Posted on 2011-10-12
Last Modified: 2012-05-12
I am trying to setup a new router with a DMZ interface. How to I setup this interface using ASDM and allow users connected to this interface to reach the internet? I don't want the DMZ to be able to communicate with the inside interface.
Question by:adanser83
    LVL 12

    Expert Comment

    Set your interface to be a DMZ:

    interface Ethernet0/2
     nameif mirth
     security-level 50
     ip address

    You must NAT your DMZ traffic. You probably have a line like this:
    global (outside) 10 interface

    This nat's all traffic on set '10' to the IP address of the outside interface. Assuming yours is the same, then you need:
    nat (DMZ) 10

    That should be it.
    LVL 12

    Expert Comment

    If you insist on using ASDM, try this link:

    It's for the PIX but it's very similar if you are familiar with the concepts. If you post your full config with passwords and public IP address removed, we can post a customized config you too.

    Author Comment

    Here is my current config:

    Result of the command: "show run"

    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 6ZoFBEConbp3Z7DJ encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    name XO-Gateway
    name SEO1-IN
    name SEO1-OUT
    name SEO2-IN
    name SEO2-OUT
    name SEO3-IN
    name SEO3-OUT
    name SEO4-IN
    name SEO4-OUT
    name SEO5-IN
    name SEO5-OUT
    name SEO6-IN
    name SEO6-OUT
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
     switchport access vlan 3
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
     switchport access vlan 12
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address
    interface Vlan2
     nameif outside
     security-level 0
     ip address 71.5.x.x
    interface Vlan3
     no forward interface Vlan1
     nameif DMZ
     security-level 50
     ip address
    ftp mode passive
    object-group service DM_INLINE_SERVICE_1
     service-object icmp
     service-object icmp echo-reply
    access-list outside_access_in extended permit tcp any any eq ssh
    access-list outside_access_in extended permit tcp any any eq telnet
    access-list outside_access_in extended permit tcp any any eq www
    access-list outside_access_in extended permit tcp any any eq https
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu DMZ 1500
    ip local pool IP-Remote-VPN mask
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1
    nat (DMZ) 0
    static (inside,outside) SEO1-OUT SEO1-IN netmask
    static (inside,outside) SEO2-OUT SEO2-IN netmask
    static (inside,outside) SEO3-OUT SEO3-IN netmask
    static (inside,outside) SEO4-OUT SEO4-IN netmask
    static (inside,outside) SEO5-OUT SEO5-IN netmask
    static (inside,outside) SEO6-OUT SEO6-IN netmask
    access-group outside_access_in in interface outside
    route outside XO-Gateway 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server PTMS-AD protocol ldap
    aaa-server PTMS-AD (inside) host
     timeout 5
     server-type auto-detect
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
     enable outside
     svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
     svc enable
    group-policy PTMS-RemoteVPN internal
    group-policy PTMS-RemoteVPN attributes
     vpn-tunnel-protocol svc
    tunnel-group SSL-VPN type remote-access
    tunnel-group SSL-VPN general-attributes
     address-pool IP-Remote-VPN
     authentication-server-group PTMS-AD
     default-group-policy PTMS-RemoteVPN
    prompt hostname context
    call-home reporting anonymous prompt 1
    : end
    LVL 12

    Accepted Solution

    I believe your problem is this line:

    nat (DMZ) 0

    You are performing NAT exemption.

    Try adding these lines:

    no nat (DMZ) 0
    nat (DMZ) 1

    Author Comment

    Thank you for your help I will try these changes after hours and let you know tomorrow.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now