Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1376
Views
15
Helpful
9
Replies

2911 Routers behind firewall

Go to solution
jnewton83985
Level 1
Level 1

‎05-23-2022 01:42 PM

I no longer see a need for our 2911 routers that sit behind our firewalls and I am looking for feedback. 

 

At one point they were used for a T1 connection but that is no longer in use. They are configured for HSRP and OSPF however the OSPF neighbors consist of the standby 2911 and ASAs. There are some route maps in use and a lot of static nat translations but all this can be done by the ASA 5545-X. Below is a snippet of the topology to give you a better idea. 

 

I just don't see a need for them anymore. 

 

Routers.PNG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to jnewton83985

‎05-24-2022 12:39 AM

Hello,

 

as far as I can tell, there are numerous static NAT entries for hosts that are not directly connected to the routers ? The point is: the ASA should ideally not replace the functionalities of a router, but just do what it is supposed to do, which is to protect your network. If you have a lot of routing going on between internal networks, simply removing the router might be problematic, and reconfiguring the ASA to perform the tasks of the router could be rather tedious, and at the very least requires detailed planning. After all, the router allows, by default, everything, while the ASA, by default, denies everything...

View solution in original post

9 Replies 9

Go to solution
Georg Pauwen
VIP
VIP

‎05-23-2022 01:53 PM

Hello,

 

first of all, the 2911 is end of life as of 2016, so most likely the throughput is not what you need and want anymore. I would agree that the ASA in HA setup looks like it is sufficient. That said, what is the purpose of the routers in your current topology ? Can you post the configs ?

0 Helpful

Go to solution
jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎05-23-2022 02:18 PM - edited ‎05-23-2022 02:20 PM

Yeah, they are eol and I was considering the C8200-1N-4T if they are replaced.

 

Attached is the config, I have removed quite a bit for security purposes. 

Preview file
12 KB
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jnewton83985

‎05-24-2022 12:39 AM

Hello,

 

as far as I can tell, there are numerous static NAT entries for hosts that are not directly connected to the routers ? The point is: the ASA should ideally not replace the functionalities of a router, but just do what it is supposed to do, which is to protect your network. If you have a lot of routing going on between internal networks, simply removing the router might be problematic, and reconfiguring the ASA to perform the tasks of the router could be rather tedious, and at the very least requires detailed planning. After all, the router allows, by default, everything, while the ASA, by default, denies everything...

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎05-24-2022 09:00 AM

Georg makes a good point about what would be doing the routing for the inside networks. We do not have information about what is down stream from the switches. But I do note that the router is running OSPF on the inside interface and is advertising a default route to its downstream neighbors. Based on this and on the unknowns about PBR I will back off a bit on my endorsement of removing and not replacing the router.

HTH

Rick

Go to solution
MHM Cisco World
VIP
VIP

‎05-23-2022 02:02 PM

Need if Both ASA active/standby point to VIP of HSRP of Routers.

0 Helpful

Go to solution
jnewton83985
Level 1
Level 1
In response to MHM Cisco World

‎05-23-2022 02:25 PM

Neither ASA points to the HSRP VIP.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jnewton83985

‎05-23-2022 04:43 PM

let check 
you have access SW L2
you have VSS which config SVI GW for host in access SW L2/L3
you have two router connect to VSS L3
you have two ASA active/standby connect to router L3

there is still one thing missing here are ASA is routed mode or transport mode ?

0 Helpful

Go to solution
jnewton83985
Level 1
Level 1
In response to MHM Cisco World

‎05-23-2022 07:32 PM

Routed mode.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎05-23-2022 07:42 PM

Thanks for posting the partial router config. We do not know what you removed from the config, and some of that could possibly impact our advice. But based on what we know so far I think you would be fine to remove the routers and to not replace them with anything.

When you were using T1 the routers were necessary. If there is no more T1 then it removes the main reason to need the routers. When you mentioned some route maps I wondered about them. The only route map for which we have details is about forwarding traffic to the firewalls (and only sets a tag on traffic for tcp port 80). I am not clear what the purpose here is or how important this is. If it is important then you would need to find something downstream that could provide this function.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents