Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
2
Replies

ASA 5550 Placement

gdrandles
Level 1
Level 1

‎03-15-2010 09:23 AM - edited ‎03-11-2019 10:21 AM

We provide open Internet access to users.  The only current security device on the network is a Proxy Server to prevent access to certain websites.  Our network is simple:

RF Antennae --> RF Modem --> Cisco 3845(NAT) --> L3 Switches (Core Services) --> L3/L2 Switches --> Users.

Where should I put the ASA 5550 and why?  The customer requires this device to prevent traffic initiated from outside the network.  From reading the documentation, using the default security levels would be fine and no additional ACL's would be required.  I do plan on using the ASA to block any websites or networks that the Proxy can't.

Thanks in advance,

Damien

Labels:
0 Helpful
2 Replies 2

KARUPPUCHAMY MALAIYANDI
Level 4
Level 4

‎03-15-2010 09:38 AM

Hi,

You can place the firewall between 3845 router and L3 switches(core) .You can configure NAT in Firewall itself.

Make the interface which is connected to 3845 router as outside and the make the security level set to 0.

Configure the interface which is connected to core switch as inside and the security level will be 100.

As you might be aware that, by default in PIX/ASA from low security level(outside) to high security level (inside) all the traffic will be blocked.

So you can allow the necessary traffic from outside to insdie by configuring ACL and apply that ACL in outside interface.

Regards

Karuppu

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee

‎03-15-2010 10:40 PM

Hello,

In addition to what has been pointed already by Karuppuchamy Malaiyandi I would like to inform you that ASA cannot do deep packet inspection.

This means that ASA can not filter websites using HTTPS. All the HTTP websites can be filtered using the Modular Polidy Framework on the box (See sample config below).

In order to do advanced filtering of websites you may have to use Security modules, or 3rd party Webfilters for e.g. Websense

Sample config to block www.yahoo.com and www.google.com sites for any user :

regex url1 "mail.yahoo.com"
regex url2 "mail.google.com"

class-map type regex match-any urlreg
match regex url1
match regex url2

class-map type inspect http match-all http_url_policy
match request header host regex class urlreg

access-l http permit tcp any any eq 80

class-map acl
match access-list http

policy-map type inspect http http_policy
parameters
class http_url_policy
  drop-connection

policy-map httpdrop
class acl
  inspect http http_policy

service-policy httpdrop interface outside

Feel free to read more below


ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

HTH

Vijaya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card