• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

how to connect firebox firewall after ASA5510 firewall

We want to block specfic websites and restrict users to use internet through firebox firewall.
how to connect firebox firewall after ASA5510 firewall. We have firebox firewall and ASA5510 firewall.
Is the way to manage the usage of internet and websites ?
If Iam wrong please suggest me .

1 Solution
If you intend to use WG firebox for internet usage restriction, then it can be done but you could have been better off with a solution which is actually built for such functionality.

As I understand you already have ASA at the perimeter of the network and now want to place FB behind it for internet restriction. This can be done in two ways:
1. Configure FB in drop-in mode; this would ensure that FB does not do any NAT, now configure HTTP policies where you can restrict the user access based on source IP/username and also destination IP.
Here, you can configure webblocker [licensed feature] and configure allowed/denied categories.
You can configure multiple service to have differential internet access, allow/deny specific attachment/content-types/activex, java applets etc.

2. Configure FB in gateway mode; the FB does NAT in this case, and if ASA is already implementing NAT then you would have double NAT implemented.
The service and other configuration would remain same as in case 1.

Please update if you need more details.

Thank you.
Where I work I have deployed ASA5520 and Firebox 5500e.
Since firebox provide a superior layer 7 functionality, its better to use it as the firewall facing the internet and use ASA for internal use, and DMZ in between, create DMZ in your ASA then link it into one of the optional ports in the firebox, this way you grantee layer 7 is available to all hosts including the DMZ.
Create VLANs in the ASA to control your servers and users networks.
As far as NATing is concern, in the ASA use NAT one-to-one and in the Firebox use PAT and static NAT to link your public DMZ servers.
My approach has been deployed perfectly without any problems.

fcsitopsAuthor Commented:

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now