Dec 29, 2010

Command: forward interface

From ASA Command Reference:

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the forward interface command in interface configuration mode to restore connectivity for one VLAN from initiating contact to one other VLAN. To restrict one VLAN from initiating contact to one other VLAN, use the no form of this command. You might need to restrict one VLAN depending on how many VLANs your license supports.

In routed mode, you can configure up to three active VLANs with the ASA 5505 adaptive security appliance Base license[...]. An active VLAN is a VLAN with a nameif command configured. [...]With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside work network, and a third VLAN assigned to your home network. The home network does not need to access the work network, so you can use the no forward interface command on the home VLAN; the work network can access the home network, but the home network cannot access the work network.

Syntax: no forward interface vlan number

It means that with the Base license, you can have a restricted DMZ. Usually DMZ hosts are not supposed to initiate traffic for the outside interface, thereby there is inbound traffic only. Thus you can set the DMZ interface to not initiate traffic for the outside using the command no forward interface. The DMZ hosts would be able to communicate with internal hosts (such as DB servers).


asa(config)# end
asa# wr mem

3 comments:

  1. Hi. On ASA5505 with a basic license. I have Vlan 1 for LAN, Vlan 2 for Internet . Can I add vlan 3 for Guest WiFi access, so it will not access VLAN 1, but it must get to Vlan 2 for internet connectivity?

    ReplyDelete
    Replies
    1. Hi Khamees

      Yes, you can. In this case you have to configure the new interface with "no forward interface vlan 1", then it won't be able to send traffic to VLAN1, but VLAN1 can initiate traffic to the new VLAN3. Remember that this is the first command to use when you setup the new interface, before nameif, ip address, and so on. In the end you will have:

      VLAN1 <-> VLAN2
      VLAN1 -> VLAN3
      VLAN2 <-> VLAN3

      Delete
  2. Thanks, Sounds like a plan now :)

    ReplyDelete