NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBR50v2 Cisco ASA5505 ACL Rules
I have recently purchased the ORBI system. I have a Cisco ASA 5505 and i am unable to manage it or take advantange of additional services such as parrental controls. I have been digging through the...
Thank you for the response. I will go into more detail about my network.
I have a Motorola docsys 3.0 modem with a 100mb internet connection. I have an outside vlan for the modem, an inside vlan for the physically connected computers and finally I have a wireless vlan for the ORBI.
The problem i am having is that the Cisco ASA is blocking access to all the additional resources such as Circle, Netgear Armor, etc. I am also unable to manage the network remotely either.
I need to create firewall rules in my ASA to allow that connectivity to reach my wireless vlan and the ip address of the ORBI. It seems there is some kind of cloud service the device communicates with in order to manage it remotely. What are the IP addresses and ports associated to all the additional features?
I have internet access working, but if the outside services attempt to communicate with the ORBI directly they are denied.
Identified information:
Circle IP Address: 45.33.13.155 - reverse lookup download.meetcicle.com - TCP port 443, https
Bit Defender: 34.202.127.134 - reverse lookup nimbus.bitdefender.net - TCP port 443. https
Netgear Time Sever: 209.249.181.91 - reverse lookup time-b.netgear.com - UDP port 123
Netgear also has several IP, the range is 209.249.181.0 - 209.249.181.127
Do we know if Netgear uses Amazon CloudFront for these services?
Please review this. Might find some information that pertains to what your doing:
Any configurations with the Cisco appliance will need to contact Cisco about that.
Answer42,
I would be very careful opening _any_ inbound ports to my firewall.
For the Circle to work, I think the Orbi needs to be in Router mode. You will be in double NAT situation since your ASA firewall is your perimeter device not Orbi. It might still work ok and worth testing.
Then partition your firewall:
- 'Outside' ISP sec zone 'outside', DHCP/client on the ASA to grab a dynamic IP from your ISP
- 'WiFi' sec zone (192.168.10.0/24) where your Orbi is going to leave (Orbi's WAN interface, assign for ex., 192.168.10.254)
- 'Inside' sec zone for your most trusted/valuable assets like your desktop, NAS etc. (192.168.20.0/24)
Configure:
- Outbound NATs for both inside and wifi
- Allow all outbound traffic (for now) from Inside and WiFi subnets to Outside
- Allow tcp/8443/icmp-ping from Inside to Orbi's WAN interface for management access to Orbi. Enable Remote management in Orbi GUI.
Test your internet access from Inside and WiFi. Orbi should be handling DHCP assignments for your wifi clients/kids. Test streaming services like Netflix or Prime.
Configure/install Circle app. The Orbi should be making outbound connections to the netgear cloud (AWS) for updates/signatures/bad site lists etc. As far as I understand, there should be nothing initiating connection from outside to your internal network (unless you configure a VPN portal on your ASA and make inbound VPN ipsec tunnels yourself using a Cisco AnyConnect vpn client). You restrict kids' access by using your smartphone app to manage the kids' access policies in the Netgear cloud which get downloaded/updated by the Orbi unit. As I see it, the Orbi is making outbound connection periodically to check if there is anything new for it to download.
If you read my thread, I am blacklisting some of the Netgear external sites using a pi-hole DNS server. You can blacklist NG's site one at a time to see which one breaks your Circle app.
Lastly, if you want, you can restrict your outbound fw policies by defining rules for Orbi's WAN IP address to do :
- WiFi -> Outside: outbound FTP connections for updates (updates1[.]netgear[.]com) if you trust NG to auto update your unit, allow this.
- WiFi -> Outside: icmp pings to www[.]netgear[.]com (successful pings show the Orbi's GUI as an Internet-UP status) - allow
- WiFi -> Outside: SSL traffic to AWS over 443 (web stats and some unknown sites, not sure). There was also a custom tcp/port which escapes me. - decide whether to allow/deny (top rule in the policy hierarchy)
- WiFi -> Outside 'Any' : SSL/443, web-browsing/80, ntp/udp/123 + others - allow
- WiFi -> Inside pi-hole IP: DNS 53/udp to Inside - allow
Point your Orbi's management DNS (Inside security zone) to your pi-hole, ASA's DNS and do the same for the DHCP clients. Configure ASA policies with FQDN objects.