RBR50v2 Cisco ASA5505 ACL Rules

Question

I have recently purchased the ORBI system.&nbsp; I have a Cisco ASA 5505 and i am unable to manage it or take advantange of additional services such as parrental controls.&nbsp; I have been digging through the ASA loggs and located the Circle IP address 45.33.13.155.&nbsp; What other TCP and UDP addresses and ports do i need to allow in order to make this system fully functional?

FURRYe38 · Answer

I recommend if this applicance device is in front of your RBR, then you should configure the RBR for AP mode.

This could be a double NAT condition which isn't recommended. https://kb.netgear.com/30186/What-is-Double-NAT
https://kb.netgear.com/30187/How-to-fix-issues-with-Double-NAT
Couple of options,
1. Configure the modem for transparent bridge or modem only mode. Then use the Orbi router in router mode. You'll need to contact the ISP for help and information in regards to the modem being bridged correctly.
2. If you can't bridge the modem, disable ALL wifi radios on the modem, configure the modems DMZ/ExposedHost or IP Pass-Through for the IP address the Orbi router gets from the modem. Then you can use the Orbi router in Router mode.
3. Or disable all wifi radios on the modem and connect the Orbi router to the modem, configure AP mode on the Orbi router. https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point and https://www.youtube.com/watch?v=H7LOcJ8GdDo&app=desktop

Try option #3.

I see the applicance devices is only rates for 100Mbps. The Orbi system is rated for 1000Mpbs. So the Cisco would be a bottle neck in peformances.

https://www.cisco.com/c/en/us/support/security/asa-5505-adaptive-security-appliance/model.html

I alos see it's on Cisco's EOL list.

Release Date 31-AUG-2006
End-of-Sale Date 25-AUG-2017
End-of-Support Date 31-AUG-2022

14 year old product. You might want to consider getting into something newer and something that supports 1000Mpbs on the LAN

Answer42 · Answer

Thank you for the response. I will go into more detail about my network.

I have a Motorola docsys 3.0 modem with a 100mb internet connection. I have an outside vlan for the modem, an inside vlan for the physically connected computers and finally I have a wireless vlan for the ORBI.

The problem i am having is that the Cisco ASA is blocking access to all the additional resources such as Circle, Netgear Armor, etc. I am also unable to manage the network remotely either.

I need to create firewall rules in my ASA to allow that connectivity to reach my wireless vlan and the ip address of the ORBI. It seems there is some kind of cloud service the device communicates with in order to manage it remotely. What are the IP addresses and ports associated to all the additional features?

I have internet access working, but if the outside services attempt to communicate with the ORBI directly they are denied.

Identified information:

Circle IP Address: 45.33.13.155 - reverse lookup download.meetcicle.com - TCP port 443, https

Bit Defender: 34.202.127.134 - reverse lookup nimbus.bitdefender.net - TCP port 443. https

Netgear Time Sever: 209.249.181.91 - reverse lookup time-b.netgear.com - UDP port 123

Netgear also has several IP, the range is 209.249.181.0 - 209.249.181.127

Do we know if Netgear uses Amazon CloudFront for these services?

FURRYe38 · Answer

Please review this. Might find some information that pertains to what your doing:

https://community.netgear.com/t5/Orbi/Outbound-traffic-to-Amazon-space/td-p/1865945/jump-to/first-unread-message

Any configurations with the Cisco appliance will need to contact Cisco about that.

1qwerty1 · Answer

Answer42,I would be very careful opening _any_ inbound ports to my firewall.&nbsp;For the Circle to work, I think the Orbi needs to be in Router mode. You will be in double NAT situation since your ASA firewall is your perimeter device not Orbi. It might still work ok and worth testing.&nbsp;Then partition your firewall:- 'Outside' ISP sec zone 'outside', DHCP/client on the ASA to grab a dynamic IP from your ISP- 'WiFi' sec zone (192.168.10.0/24) where your Orbi is going to leave (Orbi's WAN interface, assign for ex., 192.168.10.254)- 'Inside' sec zone for your most trusted/valuable assets like your desktop, NAS etc. (192.168.20.0/24)&nbsp;Configure:- Outbound NATs for both inside and wifi- Allow all outbound traffic (for now) from Inside and WiFi subnets to Outside- Allow tcp/8443/icmp-ping from Inside to Orbi's WAN interface for management access to Orbi. Enable Remote management in Orbi GUI.&nbsp;Test your internet access from Inside and WiFi. Orbi should be handling DHCP assignments for your wifi clients/kids. Test streaming services like Netflix or Prime.&nbsp;Configure/install Circle app. The Orbi should be making outbound connections to the netgear cloud (AWS) for updates/signatures/bad site lists etc. As far as I understand, there should be nothing initiating connection from outside to your internal network (unless you configure a VPN portal on your ASA and make inbound VPN ipsec tunnels yourself using a Cisco AnyConnect vpn client). You restrict kids' access by using your smartphone app to manage the kids' access policies in the Netgear cloud which get downloaded/updated by the Orbi unit. As I see it, the Orbi is making outbound connection periodically to check if there is anything new for it to download.&nbsp;If you read my thread, I am blacklisting some of the Netgear external sites using a pi-hole DNS server. You can blacklist NG's site one at a time to see which one breaks your Circle app.&nbsp;Lastly, if you want, you can restrict your outbound fw policies by defining rules for Orbi's WAN IP address to do :- WiFi -&gt; Outside: outbound FTP connections for&nbsp; updates (updates1[.]netgear[.]com) if you trust NG to auto update your unit, allow this.- WiFi -&gt; Outside: icmp pings to www[.]netgear[.]com (successful pings show the Orbi's GUI as an Internet-UP status) - allow- WiFi -&gt; Outside: SSL traffic to AWS over 443 (web stats and some unknown sites, not sure). There was also a custom tcp/port which escapes me. - decide whether to allow/deny (top rule in the policy hierarchy)- WiFi -&gt; Outside 'Any' : SSL/443, web-browsing/80, ntp/udp/123 + others - allow- WiFi -&gt; Inside pi-hole IP: DNS 53/udp to Inside - allow&nbsp;Point your Orbi's management DNS (Inside security zone) to your pi-hole, ASA's DNS and do the same for the DHCP clients. Configure ASA policies with FQDN objects.

Forum Discussion

RBR50v2 Cisco ASA5505 ACL Rules

4 Replies