Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3589
Views
25
Helpful
17
Replies

ASA5506-X Configuration/network position!

Go to solution
Imma
Level 1
Level 1

‎07-29-2019 08:01 AM - edited ‎02-21-2020 09:21 AM

Hello all,

 

To increase the network security in a small business network I want to install a ASA5506-X firewall.

The problem is that I am not sure where to locate the firewall. 

There are two ISP lines (PPPoE connection) configured in a Mikrotik router. 

 

May anyone advice me where to place the Firewall: in front of the router or after it?

 

Thank you in advanced,

 

Kind Regards,

Denisa

0 Helpful
17 Replies 17

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Imma

‎08-06-2019 08:55 AM

if you have ASDM, check on the real time logs shows you what is the reason it was dropped ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Imma
Level 1
Level 1
In response to balaji.bandi

‎08-07-2019 07:04 AM - edited ‎08-07-2019 07:18 AM

hi Balaji,

yes I have configured ASDM access.

I can see logs like the one below, when I try to open pages that are being blocked by ASA:

4 Jul 07 2019 15:36:27 113.255.38.74 12113 192.168.2.131 18231 Deny udp src outside_Abissnet:113.255.38.74/12113 dst LAN_PCstore:192.168.2.131/18231 by access-group "outside_Abissnet_access_in" [0x0, 0x0]

I dont understand why! When I first connected today I was able to open every page. Suddenly now the access for some pages is disappeared! As I understand, ASA is state-full FW, it must allow the reply back of the requests that are initiated from inside.

ciscoasa# show run access-list
access-list outside_Abcom_access_in extended permit tcp any object VOIP-192.168.3.33 eq sip
access-list outside_Abcom_access_in extended permit object-group DM_INLINE_SERVICE_1 any object test-192.168.2.131
access-list outside_Abissnet_access_in extended permit tcp any object VOIP-192.168.3.33 eq sip
access-list outside_Abissnet_access_in extended permit object test-7070 any object test-192.168.2.131

ciscoasa# show run access-group
access-group outside_Abissnet_access_in in interface outside_Abissnet
access-group outside_Abcom_access_in in interface outside_Abcom

 

I have attached some other Deny logs also

 

Thank you,

Denisa

Preview file
1684 KB
0 Helpful

Go to solution
Imma
Level 1
Level 1
In response to Imma

‎08-22-2019 07:49 AM - edited ‎08-28-2019 02:22 AM

Hi all,

sorry my late reply. I have been on holiday.

 

ASA was denying some pages because of an access rule (open port 7070) that I created for testing purposes. With this access rule I just open the port 7070 (realserver) on ASA for my laptop. And I don't know Why access-group outside_Abissnet_access_in in interface outside_Abissnet resulted in denying some pages

 

Thank you,

Kind Regards,

Denisa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card