how to connect firebox firewall after ASA5510 firewall

Posted on 2009-02-18
Last Modified: 2013-11-16
We want to block specfic websites and restrict users to use internet through firebox firewall.
how to connect firebox firewall after ASA5510 firewall. We have firebox firewall and ASA5510 firewall.
Is the way to manage the usage of internet and websites ?
If Iam wrong please suggest me .

Question by:fcsitops
    LVL 32

    Expert Comment

    If you intend to use WG firebox for internet usage restriction, then it can be done but you could have been better off with a solution which is actually built for such functionality.

    As I understand you already have ASA at the perimeter of the network and now want to place FB behind it for internet restriction. This can be done in two ways:
    1. Configure FB in drop-in mode; this would ensure that FB does not do any NAT, now configure HTTP policies where you can restrict the user access based on source IP/username and also destination IP.
    Here, you can configure webblocker [licensed feature] and configure allowed/denied categories.
    You can configure multiple service to have differential internet access, allow/deny specific attachment/content-types/activex, java applets etc.

    2. Configure FB in gateway mode; the FB does NAT in this case, and if ASA is already implementing NAT then you would have double NAT implemented.
    The service and other configuration would remain same as in case 1.

    Please update if you need more details.

    Thank you.
    LVL 3

    Accepted Solution

    Where I work I have deployed ASA5520 and Firebox 5500e.
    Since firebox provide a superior layer 7 functionality, its better to use it as the firewall facing the internet and use ASA for internal use, and DMZ in between, create DMZ in your ASA then link it into one of the optional ports in the firebox, this way you grantee layer 7 is available to all hosts including the DMZ.
    Create VLANs in the ASA to control your servers and users networks.
    As far as NATing is concern, in the ASA use NAT one-to-one and in the Firebox use PAT and static NAT to link your public DMZ servers.
    My approach has been deployed perfectly without any problems.


    Author Comment


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now