NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBR50v2 Cisco ASA5505 ACL Rules
I have recently purchased the ORBI system. I have a Cisco ASA 5505 and i am unable to manage it or take advantange of additional services such as parrental controls. I have been digging through the...
Please review this. Might find some information that pertains to what your doing:
Any configurations with the Cisco appliance will need to contact Cisco about that.
Answer42,
I would be very careful opening _any_ inbound ports to my firewall.
For the Circle to work, I think the Orbi needs to be in Router mode. You will be in double NAT situation since your ASA firewall is your perimeter device not Orbi. It might still work ok and worth testing.
Then partition your firewall:
- 'Outside' ISP sec zone 'outside', DHCP/client on the ASA to grab a dynamic IP from your ISP
- 'WiFi' sec zone (192.168.10.0/24) where your Orbi is going to leave (Orbi's WAN interface, assign for ex., 192.168.10.254)
- 'Inside' sec zone for your most trusted/valuable assets like your desktop, NAS etc. (192.168.20.0/24)
Configure:
- Outbound NATs for both inside and wifi
- Allow all outbound traffic (for now) from Inside and WiFi subnets to Outside
- Allow tcp/8443/icmp-ping from Inside to Orbi's WAN interface for management access to Orbi. Enable Remote management in Orbi GUI.
Test your internet access from Inside and WiFi. Orbi should be handling DHCP assignments for your wifi clients/kids. Test streaming services like Netflix or Prime.
Configure/install Circle app. The Orbi should be making outbound connections to the netgear cloud (AWS) for updates/signatures/bad site lists etc. As far as I understand, there should be nothing initiating connection from outside to your internal network (unless you configure a VPN portal on your ASA and make inbound VPN ipsec tunnels yourself using a Cisco AnyConnect vpn client). You restrict kids' access by using your smartphone app to manage the kids' access policies in the Netgear cloud which get downloaded/updated by the Orbi unit. As I see it, the Orbi is making outbound connection periodically to check if there is anything new for it to download.
If you read my thread, I am blacklisting some of the Netgear external sites using a pi-hole DNS server. You can blacklist NG's site one at a time to see which one breaks your Circle app.
Lastly, if you want, you can restrict your outbound fw policies by defining rules for Orbi's WAN IP address to do :
- WiFi -> Outside: outbound FTP connections for updates (updates1[.]netgear[.]com) if you trust NG to auto update your unit, allow this.
- WiFi -> Outside: icmp pings to www[.]netgear[.]com (successful pings show the Orbi's GUI as an Internet-UP status) - allow
- WiFi -> Outside: SSL traffic to AWS over 443 (web stats and some unknown sites, not sure). There was also a custom tcp/port which escapes me. - decide whether to allow/deny (top rule in the policy hierarchy)
- WiFi -> Outside 'Any' : SSL/443, web-browsing/80, ntp/udp/123 + others - allow
- WiFi -> Inside pi-hole IP: DNS 53/udp to Inside - allow
Point your Orbi's management DNS (Inside security zone) to your pi-hole, ASA's DNS and do the same for the DHCP clients. Configure ASA policies with FQDN objects.