ASA 5550 Placement

Unanswered Question
Mar 15th, 2010

We provide open Internet access to users.  The only current security device on the network is a Proxy Server to prevent access to certain websites.  Our network is simple:

RF Antennae --> RF Modem --> Cisco 3845(NAT) --> L3 Switches (Core Services) --> L3/L2 Switches --> Users.

Where should I put the ASA 5550 and why?  The customer requires this device to prevent traffic initiated from outside the network.  From reading the documentation, using the default security levels would be fine and no additional ACL's would be required.  I do plan on using the ASA to block any websites or networks that the Proxy can't.

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
KARUPPUCHAMY MA... Mon, 03/15/2010 - 09:38


You can place the firewall between 3845 router and L3 switches(core) .You can configure NAT in Firewall itself.

Make the interface which is connected to 3845 router as outside and the make the security level set to 0.

Configure the interface which is connected to core switch as inside and the security level will be 100.

As you might be aware that, by default in PIX/ASA from low security level(outside) to high security level (inside) all the traffic will be blocked.

So you can allow the necessary traffic from outside to insdie by configuring ACL and apply that ACL in outside interface.



vilaxmi Mon, 03/15/2010 - 22:40


In addition to what has been pointed already by Karuppuchamy Malaiyandi I would like to inform you that ASA cannot do deep packet inspection.

This means that ASA can not filter websites using HTTPS. All the HTTP websites can be filtered using the Modular Polidy Framework on the box (See sample config below).

In order to do advanced filtering of websites you may have to use Security modules, or 3rd party Webfilters for e.g. Websense

Sample config to block and sites for any user :

regex url1 ""
regex url2 ""

class-map type regex match-any urlreg
match regex url1
match regex url2

class-map type inspect http match-all http_url_policy
match request header host regex class urlreg

access-l http permit tcp any any eq 80

class-map acl
match access-list http

policy-map type inspect http http_policy
class http_url_policy

policy-map httpdrop
class acl
  inspect http http_policy

service-policy httpdrop interface outside

Feel free to read more below

ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example:




This Discussion