07-29-2019 08:01 AM - edited 02-21-2020 09:21 AM
Hello all,
To increase the network security in a small business network I want to install a ASA5506-X firewall.
The problem is that I am not sure where to locate the firewall.
There are two ISP lines (PPPoE connection) configured in a Mikrotik router.
May anyone advice me where to place the Firewall: in front of the router or after it?
Thank you in advanced,
Kind Regards,
Denisa
Solved! Go to Solution.
08-06-2019 08:55 AM
if you have ASDM, check on the real time logs shows you what is the reason it was dropped ?
08-07-2019 07:04 AM - edited 08-07-2019 07:18 AM
hi Balaji,
yes I have configured ASDM access.
I can see logs like the one below, when I try to open pages that are being blocked by ASA:
4 Jul 07 2019 15:36:27 113.255.38.74 12113 192.168.2.131 18231 Deny udp src outside_Abissnet:113.255.38.74/12113 dst LAN_PCstore:192.168.2.131/18231 by access-group "outside_Abissnet_access_in" [0x0, 0x0]
I dont understand why! When I first connected today I was able to open every page. Suddenly now the access for some pages is disappeared! As I understand, ASA is state-full FW, it must allow the reply back of the requests that are initiated from inside.
ciscoasa# show run access-list
access-list outside_Abcom_access_in extended permit tcp any object VOIP-192.168.3.33 eq sip
access-list outside_Abcom_access_in extended permit object-group DM_INLINE_SERVICE_1 any object test-192.168.2.131
access-list outside_Abissnet_access_in extended permit tcp any object VOIP-192.168.3.33 eq sip
access-list outside_Abissnet_access_in extended permit object test-7070 any object test-192.168.2.131
ciscoasa# show run access-group
access-group outside_Abissnet_access_in in interface outside_Abissnet
access-group outside_Abcom_access_in in interface outside_Abcom
I have attached some other Deny logs also
Thank you,
Denisa
08-22-2019 07:49 AM - edited 08-28-2019 02:22 AM
Hi all,
sorry my late reply. I have been on holiday.
ASA was denying some pages because of an access rule (open port 7070) that I created for testing purposes. With this access rule I just open the port 7070 (realserver) on ASA for my laptop. And I don't know Why access-group outside_Abissnet_access_in in interface outside_Abissnet resulted in denying some pages.
Thank you,
Kind Regards,
Denisa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide