Hi Dear,

Is there any chance to replace cisco ASA5510 with mikrotik RB1100?

This is my cisco configuration:
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.21.97.18 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.11 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 192.168.1.2
object-group network IT
description All Traffic Allowed
network-object 192.168.1.3 255.255.255.255
network-object 192.168.1.211 255.255.255.255
network-object 192.168.1.1 255.255.255.255
network-object 192.168.1.2 255.255.255.255
network-object 192.168.1.212 255.255.255.255
network-object 192.168.1.236 255.255.255.255
network-object 192.168.1.238 255.255.255.255
access-list IT extended permit ip object-group IT any
access-list Inbound extended permit tcp any host 213.12.32.12 eq pptp
access-list Inbound extended permit tcp any host 213.12.32.12 eq www
access-list Inbound extended permit tcp any host 213.12.32.12 eq 8000
access-list Inbound extended permit tcp any host 213.12.32.12 eq 8001
arp timeout 14400
nat-control
global (outside) 1 213.12.32.13 netmask 255.255.255.255
nat (inside) 1 access-list IT
static (inside,outside) tcp 213.12.32.12 pptp 192.168.1.3 pptp netmask 255.255.255.255
static (inside,outside) tcp 213.12.32.12 www 192.168.1.8 650 netmask 255.255.255.255
static (inside,outside) tcp 213.12.32.12 8000 192.168.1.238 8000 netmask 255.255.255.255
static (inside,outside) tcp 213.12.32.12 8001 192.168.1.236 8001 netmask 255.255.255.255
static (inside,outside) 213.12.32.11 192.168.1.15 netmask 255.255.255.255
static (inside,outside) 213.12.32.10 192.168.1.17 netmask 255.255.255.255
static (inside,outside) 213.12.32.9 192.168.1.14 netmask 255.255.255.255
access-group Inbound in interface outside
access-group 105 in interface dmz
route outside 0.0.0.0 0.0.0.0 172.21.97.17 1
route inside 192.168.2.0 255.255.255.0 192.168.1.10 1

Your ASA configuration is pretty straightforward, nothing that the RB1100 can't do. However what speed connection is the ASA handling?

Hi Alqatife,

Don't forget that the ASA is designed as a firewall and has many security features not present in RouterOS. There's a reason Cisco produce the ASA versus just selling a router with ACL's. Replacing the ASA with an RB1100 will give you a router with ACL's.

On the other hand, if you simply want a cheaper solution for doing ACL's and NAT and are happy with the security compromise, then your config should be straight forward to reproduce. I note you have 'nat-control' enabled - just bear in mind that this will be different to how RouterOS works, but should be no biggie to work around.

Is this your whole config? There's a reference to ACL 105 on interface 'dmz', both of which are missing.

Rich

Hi Dear,

Our config very sample... the dmz for another subnet 192.168.100.0/24 but not use right now.

this our setting.

Can you help me one this one to config mikrotik to work as ASA5510 with our config.

Ether 1 172.21.97.18 (to ISP)

Ether 2 192.168.1.11

example-nat:

ip 213.12.32.13 for browsing internet.
ip 213.12.32.9 for email
ip 213.12.32.10 for cixtrix
ip 213.12.32.11 for oracle

Thanks.