cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3461
Views
25
Helpful
17
Replies

ASA5506-X Configuration/network position!

Imma
Level 1
Level 1

Hello all,

 

To increase the network security in a small business network I want to install a ASA5506-X firewall.

The problem is that I am not sure where to locate the firewall. 

There are two ISP lines (PPPoE connection) configured in a Mikrotik router. 

 

May anyone advice me where to place the Firewall: in front of the router or after it?

 

Thank you in advanced,

 

Kind Regards,

Denisa

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

You can introduce FW as bellow:

 

Internet ----Microtik---FW---Switch----Users

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

17 Replies 17

balaji.bandi
Hall of Fame
Hall of Fame

You can introduce FW as bellow:

 

Internet ----Microtik---FW---Switch----Users

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9

hi,

it depends on the IT requirement.

is the site keeping the dual ISP/PPoE lines?

is the mikrotik router still under warranty? note the 5506x can also support PPoE.

Hello,

 

is the site keeping the dual ISP/PPoE lines?

Yes, both lines are needed.

I used to configure an ASA as both router and FW before in another client. I configured one line to be primary and one secondary. And it worked fine. But it was 2xITSP-ASA-SW-Users.

 

Now I am not sure how to configure ASA. I installed it after Mikrotik (as Balaji recommended), it received IP address from the DHCP of mikrotik. And the computer I connected behind the ASA received also and IP address with dhcp.

What should I do next? 

 

is the mikrotik router still under warranty?

Hmm I don't know. I have to check this. Why is this needed?

 

Thank you in advanced for your help,

Denisa

I have suggested keeping in mind that you do not like to replace Microtik, If that is possible well suitable solution, so only ASA can handle all traffic, again depends on client.

 

 

Now I am not sure how to configure ASA. I installed it after Mikrotik (as Balaji recommended), it received IP address from the DHCP of mikrotik. And the computer I connected behind the ASA received also and IP address with dhcp.

What should I do next? 

 

2 ways to do here.

 

1. ASA can be in traparent mode, so you can get directly IP address from Microtik

2. if ASA in routed mode, you need to do forward the traffic to Microtik (and Microtik does the NAtting).

   So users can able to reach the internet.

 

Finally this not the great approach for small environment, 2 FW in the path, since there is no network in between the FW.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello Bajlaji,

 

So the best solution will be to replace the Mikrotik with ASA? 

 

I will try to configure all the services in ASA and let you know if will function well.

 

Thank you again,

Kind Regards,

Denisa

 

yes that is best approach so you have all control with 1 FW, rather doing multiple places..keep up posted any hurdles..

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi again,

I added the below configuration lines:

interface GigabitEthernet1/1
nameif outside_Abissnet
security-level 0
pppoe client vpdn group Abissnet
pppoe client route distance 2
ip address pppoe setroute

vpdn group Abissnet request dialout pppoe
vpdn group Abissnet ppp authentication chap
vpdn group Abissnet localname 044216072
vpdn username 044216072 password ***** store-local
!
interface GigabitEthernet1/2
nameif outside_Abcom
security-level 0
pppoe client vpdn group Abcom
ip address pppoe setroute
!
vpdn group Abcom request dialout pppoe
vpdn group Abcom localname pc.store
vpdn group Abcom ppp authentication chap
vpdn username xx.store password ***** store-local

 

I tested both the lines separated. None is getting authenticated.

The debugs below:

ciscoasa# PPP chap receive challenge: rcvd a type CHAP-DIGEST-MD5 pkt
PPP chap receive failure: 41757468656e7469636174696f6e206661696c6564
PPP CHAP authentication failed
PPP chap receive challenge: rcvd a type CHAP-DIGEST-MD5 pkt
PPP chap receive failure: 41757468656e7469636174696f6e206661696c6564
PPP CHAP authentication failed
PPP chap receive challenge: rcvd a type CHAP-DIGEST-MD5 pkt
PPP chap receive failure: 41757468656e7469636174696f6e206661696c6564
PPP CHAP authentication failed

 

ciscoasa#
PPPoE: PADO
PPPoE: PADO
PPPoE: PADS
PPPoE: IN PADS from PPPoE tunnel
PPPoE: Opening PPP link and starting negotiations.
PPPoE: PADT
PPPoE: Shutting down client session
PPPoE: padi timer expired

 


ciscoasa# debug pppoe packet
debug pppoe packet enabled at level 1
ciscoasa#
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:7872.5d00.ce9e Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: PPPoE:(Rcv) Dest:7872.5d00.ce9e Src:d46d.50ac.54c0 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:47
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:11
PPPoE: ASR-2-PPPoE

PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 246E045F
PPPoE: 90134CB2
PPPoE: 41B93127
PPPoE: 721CF384
PPPoE:

PPPoE: send_padr:(Snd) Dest:d46d.50ac.54c0 Src:7872.5d00.ce9e Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:19=PADR Sess:0 Len:47
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:11
PPPoE: ASR-2-PPPoE

PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 246E045F
PPPoE: 90134CB2
PPPoE: 41B93127
PPPoE: 721CF384
PPPoE:

PPPoE: PPPoE:(Rcv) Dest:7872.5d00.ce9e Src:84b8.025d.f540 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:47
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:11
PPPoE: ASR-1-PPPoE

PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 04BB3BAE
PPPoE: 7F5BA1E9
PPPoE: ED3FC54F
PPPoE: 22F2C899
PPPoE:

 

What I am missing?

 

Kind Regards,

Denisa

 

 

 

Have you replaced the Mikrotek router with the ASA as per Balaji's comments?

hi,

yes correct. I created PPPoe connection straight to ASA.

 

Kind Regards,

Denisa

Hi, 

 

Update: The problem was on the ISP side.

 

Kind Regards,

Denisa

So is this resolved after ISP side changes ? so ASA  handling both ISP connection ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yes Balaji correct, it is working with both the ISPs.

 

But I am not sure how to configure the dns for dhcp for both ISPs. I configured the dns on one ISP as below:

dhcpd address 192.168.2.130-192.168.2.200 LAN_PC
dhcpd dns 80.x.x.x 80.x.x.x interface LAN_PC
dhcpd domain pc.al interface LAN_PC
dhcpd enable LAN_PC

but it is not working for the other ISP unless I add the static dns on the network card of the PCs.

 

What do you think, should I configure public dns under dhcp?

 

Or should I add global dns as below:

dns server-group DefaultDNS
name-server 208.67.222.222    ******public ISP******
name-server 80.x.y.35     ******first ISP dns******
name-server 80.x.y.34
name-server 80.x.y.66    ******seond ISP dns******
name-server 80.x.y.67
name-server 192.167.2.7

 

Attached the view of ASDM for dns.

 

Thank you in advanced,

Denisa

I think of your problem, if you use ISP1 IP as DNS Server if that link fails, your query for the ISP2 but there is delay here.

 

2 Options. if possible run own DNS Server locally, which intern get updates from ISP

other one use Google DNS, so it has both the side of ISP  connection to get DNS Query.

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes, it make sense.

I configured the dns of google under dhcpd. Unfortunately, I am having a strange situation with both provider. Some of pages like cisco.com or community.cisco.com (everything on the cisco domains) cannot be open. I am able to nslookup these domains. But not able to open on browser.

Or when I try to test internet speed - it displays error "may be blocked by a firewall".

 

Should I create an access list permit rule?

Any idea would be appreciated. 

 

Kind Regards,

Denisa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: