07-29-2019 08:01 AM - edited 02-21-2020 09:21 AM
Hello all,
To increase the network security in a small business network I want to install a ASA5506-X firewall.
The problem is that I am not sure where to locate the firewall.
There are two ISP lines (PPPoE connection) configured in a Mikrotik router.
May anyone advice me where to place the Firewall: in front of the router or after it?
Thank you in advanced,
Kind Regards,
Denisa
Solved! Go to Solution.
07-29-2019 08:29 AM
You can introduce FW as bellow:
Internet ----Microtik---FW---Switch----Users
07-29-2019 08:29 AM
You can introduce FW as bellow:
Internet ----Microtik---FW---Switch----Users
07-31-2019 12:58 AM
hi,
it depends on the IT requirement.
is the site keeping the dual ISP/PPoE lines?
is the mikrotik router still under warranty? note the 5506x can also support PPoE.
07-31-2019 02:03 AM - edited 07-31-2019 02:04 AM
Hello,
is the site keeping the dual ISP/PPoE lines?
Yes, both lines are needed.
I used to configure an ASA as both router and FW before in another client. I configured one line to be primary and one secondary. And it worked fine. But it was 2xITSP-ASA-SW-Users.
Now I am not sure how to configure ASA. I installed it after Mikrotik (as Balaji recommended), it received IP address from the DHCP of mikrotik. And the computer I connected behind the ASA received also and IP address with dhcp.
What should I do next?
is the mikrotik router still under warranty?
Hmm I don't know. I have to check this. Why is this needed?
Thank you in advanced for your help,
Denisa
07-31-2019 02:18 AM
I have suggested keeping in mind that you do not like to replace Microtik, If that is possible well suitable solution, so only ASA can handle all traffic, again depends on client.
Now I am not sure how to configure ASA. I installed it after Mikrotik (as Balaji recommended), it received IP address from the DHCP of mikrotik. And the computer I connected behind the ASA received also and IP address with dhcp.
What should I do next?
2 ways to do here.
1. ASA can be in traparent mode, so you can get directly IP address from Microtik
2. if ASA in routed mode, you need to do forward the traffic to Microtik (and Microtik does the NAtting).
So users can able to reach the internet.
Finally this not the great approach for small environment, 2 FW in the path, since there is no network in between the FW.
07-31-2019 03:54 AM
Hello Bajlaji,
So the best solution will be to replace the Mikrotik with ASA?
I will try to configure all the services in ASA and let you know if will function well.
Thank you again,
Kind Regards,
Denisa
07-31-2019 07:09 AM
yes that is best approach so you have all control with 1 FW, rather doing multiple places..keep up posted any hurdles..
08-01-2019 07:16 AM
Hi again,
I added the below configuration lines:
interface GigabitEthernet1/1
nameif outside_Abissnet
security-level 0
pppoe client vpdn group Abissnet
pppoe client route distance 2
ip address pppoe setroute
vpdn group Abissnet request dialout pppoe
vpdn group Abissnet ppp authentication chap
vpdn group Abissnet localname 044216072
vpdn username 044216072 password ***** store-local
!
interface GigabitEthernet1/2
nameif outside_Abcom
security-level 0
pppoe client vpdn group Abcom
ip address pppoe setroute
!
vpdn group Abcom request dialout pppoe
vpdn group Abcom localname pc.store
vpdn group Abcom ppp authentication chap
vpdn username xx.store password ***** store-local
I tested both the lines separated. None is getting authenticated.
The debugs below:
ciscoasa# PPP chap receive challenge: rcvd a type CHAP-DIGEST-MD5 pkt
PPP chap receive failure: 41757468656e7469636174696f6e206661696c6564
PPP CHAP authentication failed
PPP chap receive challenge: rcvd a type CHAP-DIGEST-MD5 pkt
PPP chap receive failure: 41757468656e7469636174696f6e206661696c6564
PPP CHAP authentication failed
PPP chap receive challenge: rcvd a type CHAP-DIGEST-MD5 pkt
PPP chap receive failure: 41757468656e7469636174696f6e206661696c6564
PPP CHAP authentication failed
ciscoasa#
PPPoE: PADO
PPPoE: PADO
PPPoE: PADS
PPPoE: IN PADS from PPPoE tunnel
PPPoE: Opening PPP link and starting negotiations.
PPPoE: PADT
PPPoE: Shutting down client session
PPPoE: padi timer expired
ciscoasa# debug pppoe packet
debug pppoe packet enabled at level 1
ciscoasa#
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:7872.5d00.ce9e Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: PPPoE:(Rcv) Dest:7872.5d00.ce9e Src:d46d.50ac.54c0 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:47
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:11
PPPoE: ASR-2-PPPoE
PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 246E045F
PPPoE: 90134CB2
PPPoE: 41B93127
PPPoE: 721CF384
PPPoE:
PPPoE: send_padr:(Snd) Dest:d46d.50ac.54c0 Src:7872.5d00.ce9e Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:19=PADR Sess:0 Len:47
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:11
PPPoE: ASR-2-PPPoE
PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 246E045F
PPPoE: 90134CB2
PPPoE: 41B93127
PPPoE: 721CF384
PPPoE:
PPPoE: PPPoE:(Rcv) Dest:7872.5d00.ce9e Src:84b8.025d.f540 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:47
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:11
PPPoE: ASR-1-PPPoE
PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 04BB3BAE
PPPoE: 7F5BA1E9
PPPoE: ED3FC54F
PPPoE: 22F2C899
PPPoE:
What I am missing?
Kind Regards,
Denisa
08-01-2019 08:48 AM - edited 08-01-2019 08:48 AM
Have you replaced the Mikrotek router with the ASA as per Balaji's comments?
08-01-2019 11:53 PM
hi,
yes correct. I created PPPoe connection straight to ASA.
Kind Regards,
Denisa
08-02-2019 08:03 AM
08-02-2019 12:39 PM
So is this resolved after ISP side changes ? so ASA handling both ISP connection ?
08-03-2019 01:37 AM
yes Balaji correct, it is working with both the ISPs.
But I am not sure how to configure the dns for dhcp for both ISPs. I configured the dns on one ISP as below:
dhcpd address 192.168.2.130-192.168.2.200 LAN_PC
dhcpd dns 80.x.x.x 80.x.x.x interface LAN_PC
dhcpd domain pc.al interface LAN_PC
dhcpd enable LAN_PC
but it is not working for the other ISP unless I add the static dns on the network card of the PCs.
What do you think, should I configure public dns under dhcp?
Or should I add global dns as below:
dns server-group DefaultDNS
name-server 208.67.222.222 ******public ISP******
name-server 80.x.y.35 ******first ISP dns******
name-server 80.x.y.34
name-server 80.x.y.66 ******seond ISP dns******
name-server 80.x.y.67
name-server 192.167.2.7
Attached the view of ASDM for dns.
Thank you in advanced,
Denisa
08-03-2019 03:23 AM
I think of your problem, if you use ISP1 IP as DNS Server if that link fails, your query for the ISP2 but there is delay here.
2 Options. if possible run own DNS Server locally, which intern get updates from ISP
other one use Google DNS, so it has both the side of ISP connection to get DNS Query.
make sense ?
08-06-2019 08:15 AM
Yes, it make sense.
I configured the dns of google under dhcpd. Unfortunately, I am having a strange situation with both provider. Some of pages like cisco.com or community.cisco.com (everything on the cisco domains) cannot be open. I am able to nslookup these domains. But not able to open on browser.
Or when I try to test internet speed - it displays error "may be blocked by a firewall".
Should I create an access list permit rule?
Any idea would be appreciated.
Kind Regards,
Denisa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide