Creating a DMZ with a Cisco ASA 5505

Creating a DMZ on an ASA is an easy way for small business clients to offer internet access to workers who sub lease office space from without granting access to the company server or other network resources.  One only needs to add a few lines to a standard configuration.

  1. Telnet into your ASA and enter the enable mode.
  2. Create a new VLAN. This articles assumes that the VLan 2 is facing the internet and Vlan 1 is the inside interface.

enter the configuration terminal by typing:

ASA#: conf t

create the vlan:

ASA(config)# int vlan3

turn off interface forwarding:

ASA(config-if)# no forward interface Vlan1

Name the vLan:

ASA(config-if)# nameif dmz

Set Security level:

ASA(config-if)#security-level 50

Give IP Address:

ASA(config-if)#ip address 192.168.xx.1

Exit vlan interface configuration:


  1. link port 7 of the firewall to the DMZ (note that by default it is linked to the inside interface)

conifigure the switch port:

ASA(config)# interface Ethernet0/7

link the switchport to the vlan

ASA(config-if)# switchport access vlan 3

ASA(config-if)# exit

  1. Set up DHCP and DNS:

ASA(config)# dhcpd address dmz

ASA(config)# dhcpd dns interface dmz

ASA(config)# dhcpd enable dmz

  1. Set up Network Address Translation:

ASA(config)# nat (dmz) 1

  1. Don’t forget to:

ASA# write

