Avatar of travisryan
travisryan
Flag for United States of America asked on

ASA 5506 EasyVPN & DMZ "ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled."

I need to set up a DMZ interface for my ASA 5506 (IOS ver 9.5.2) that's set up as an Easy VPN client. When I try to modify the third interface I get this: "ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled."

Googling around I found this thread which says such a thing should be possible but doesn't mention the above error message: https://supportforums.cisco.com/discussion/12460931/dmz-interface-asa-5506-x

Googling around for that error message I can only find the below two posts that don't seem to have anything to do with my issue:

https://supportforums.cisco.com/discussion/11219271/ssl-vpn-not-working
https://supportforums.cisco.com/discussion/11092461/asa5505-vlan1-subnet-change-remotely

I have the sneaking suspicion I can't have Easy VPN (client) and DMZ set up on the same device but I hope I'm wrong. Any help is appreciated.
CiscoHardware FirewallsSecurity

Avatar of undefined
Last Comment
Ernie Beek

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Ernie Beek

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
travisryan

ASKER
The situation I'm running into is that the firewall is at a remote location, it's set up with Easy VPN so users, phones, printers etc at that location can just plug in or get on wifi and have a connection like they were sitting in our home location. Now we have another business that wants their own connection in our location.

My plan was to sit them on the DMZ and pass all traffic destined for their device through and block their device from getting to the inside network (my company's network). Is there another way to accomplish this with the equipment we already have?
Ernie Beek

Doesn't the 5506 has eight interfaces? So can't you use another interface for that?
travisryan

ASKER
Ernie, I ended up finding an alternative solution. Thanks for all of your help.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Ernie Beek

Good to hear.
Would you mind sharing your solution with us? Perhaps someone else can profit from that.
travisryan

ASKER
Ernie, instead of putting equipment from another company on the inside of my asa (since DMZ is not available) and trying to create ACL rules to isolate it, I requested a small range static IPs from my internet provider, plugged the internet connection into a dumb switch, gave the outside interface on my ASA one static IP,  then let the other company plug their equipment into that dumb switch and gave them an outside IP address to use from that static range.

This way, their equipment never directly interacts with my equipment.
Ernie Beek

Good call, and everybody is happy. Thanks for sharing.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.