Adding DMZ to Cisco ASA5505

Even your Cisco ASA5505 can have a DMZ, though not a full one. With the base license you can create another interface and vlan, but you must restrict traffic from that interface to another.

Below I’m going to tell you how to set up a DMZ on your Cisco ASA5505. All I needed for my network was to have two network segments which had external access, but could not communicate with each other. This allows us to have two peoples workstations on the same ASA5505 device, but they don’t have the ability to infect one another. Also, one person is allowed to use the site-to-site vpn, and the other is not.

  1. Open the Cisco ASDM
  2. Click ‘Configuration’ at the top, ‘Interfaces’ on the left.
  3. Click the ‘Add’ button on the right.
  4. Specify the network jacks you want to be on the new vlan.
  5. I recommend using ‘dmz’ for the network interface, and security level ’50’.
  6. Make sure ‘Use Static IP’ radio button is checked.
  7. In the ip address field, enter the new interfaces ip, but on an un-used subnet. For example ‘’
  8. Subnet mask: ‘’
  9. Click the ‘Advanced’ tab at the top.
  10. In the ‘VLAN ID’ field, type ‘3’. Having vlans 1, 2, and 12 or whatever is just dorky.
  11. Under Block Traffic, select ‘vlan1 (inside)’.
  12. Hit ‘Ok’, ‘Apply’

Great! You’ve created the interface, but you want to be able to browse to the outside. You’ll need to create a dynamic NAT for that.

  1. Click ‘NAT’ on the left.
  2. Click ‘Add’ at the top, select ‘Dynamic NAT Rule’.
  3. Select the new interface ‘dmz’ from the drop down at the top.
  4. Click the ‘…’ button on the right, and select the dmz network
  5. Under ‘Dynamic Translation’ change ‘Interface’ to ‘Outside’.
  6. Put a check next to the ‘outside’ address pool.
  7. Hit ‘Ok’, ‘Apply’

One last thing. I really dig having at least a couple DHCP addresses on every port. So lets configure DHCP!

  1. Click ‘Properties’ on the left.
  2. Click the ‘+’ sign next to ‘DHCP Services’.
  3. Click DHCP Server.
  4. Under ‘Other DHCP Options’ make sure the ‘Enable auto-configuration…’ check box is un-checked.
  5. The DNS Servers are probably the same for both subnets. Feel free to put them in out here, and leave the DNS Server boxes for each interface blank.
  6. Hit the ‘Apply’ button.
  7. Click the ‘dmz’ entry at the top, and click ‘Edit’.
  8. Check the check box for ‘Enable DHCP server’.
  9. Enter an address pool, for example: ‘’ to ‘’
  10. Hit ‘Ok’, ‘Apply’.

Save and reload the device, and you should be in business!

Published by

Anthony Curreri

Anthony Curreri has lived aboard a boat since 2007, first on a 27′ sailboat, now he lives aboard Lunasea, a 1970 Chris Craft Commander 42. He has worked at the University of Washington since 2006, graduated from the University of Wisconsin Oshkosh with a degree in Computer Science in 2004, and had his first job at a dial-up internet service provider in 1999.

12 thoughts on “Adding DMZ to Cisco ASA5505”

  1. never mind… the solution is to add a static NAT from the inside network that translate to dmz (ip addrees to be the inside network again)

  2. Awesome! I KNEW I forgot something (since I had no route out!)

    The stinking NAT statement!

    I LOVE your quick down and dirty step-by-step.

    Thank you for saving me a few hours and a bloody forehead!

  3. Excellent, it looks like this is for an older ASDM than is currently out but still a very helpful walk through. The biggiest stumbling point for me was

    “The DNS Servers are probably the same for both subnets. Feel free to put them in out here, and leave the DNS Server boxes for each interface blank.”

    In the latest ASDM you double click the interface, adjust the DNS server for the interface but leave the global DHCP Options/Global DNS servers blank.

    1. I am pretty sure I just had the base license, but I don’t remember what the difference is between the two anymore.

  4. Can’t get internet on DMZ (vlan3) and also no Inside network can’t ping to DMZ network. Please help me with the configuration on asa 5505 base :(

    Inside Network : (Vlan1)
    DMZ Network : (Vlan3)
    Outside : PPPOE (Vlan2)

    Thanx in advance :)

  5. Misd to mentioned that I have already added a static NAT from the inside network that translate to dmz (ip addrees to be the inside network again) and also configured DHCP and DNS settings based on your post.

    I’m pretty sure m missing something. would be glad to get a quick response. thanx

    1. It sounds to me like you didn’t follow the directions in the middle… you need to create a Dynamic NAT from the interface you need internet on (the dmz), to the *outside* interface. Unfortunately it’s been years since I’ve worked on these things so I’m not going to be much help.

  6. I have follow this and the internet is working in my dmz ports.
    But how do I open a port like 8888 on the dmz zone?
    I opened ports like 80 for my Inside zone and it’s working, but the same configuration do not works on the dmz zone.
    I thought that dmz zones were all open!

    Thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>