Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
5
Helpful
4
Replies

Need Suggestion On Best Practice Solution

Go to solution
pauzi123@
Level 1
Level 1

‎02-21-2017 02:50 AM

Hello,

Im currently in midst of optimizing site network that have more than 4100 users (currently). I would like know whether is it better to put:

  1. Firewall in-front of router OR
  2. Router in-front of firewall

My Firewall is ASA 5508-X (FirePower)

My Router is Cisco 2911-HSEC+/K9

Currently the router is handling only NAT-ing. The memory utilization is 79%

I attached current overall drawing for the site.

Labels:
Preview file
494 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leonardo Gama
Level 1
Level 1

‎02-21-2017 10:15 AM

Hi,

Considering your current topology and the fact that your ASA has far more horsepower than 2911, I would remove the 2911 from the topology (less point of failure) and let all routing and NAT with the firewalls, logically if you do not need any fancy feature from ISR routers.

Moreover I would insert a redundant 3850 switch with the second ASA.

Cheers.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-21-2017 07:39 AM

  - Your keyword 'in-front of' is undefined because it can be explained in 2 ways; it's better to have the router at the real edge, and only let it  handle routing; you should handle NAT on the firewall to take advantage of using firewalling properties/actions  when doing NAT.

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
pauzi123@
Level 1
Level 1
In response to marce1000

‎02-21-2017 07:24 PM

Thank you for the information. What i mean by in front is, is better to put firewall or router first?

My current setup is firewall first having public IP, the router is connected at the firewall.

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to pauzi123@

‎02-21-2017 11:51 PM

  - Check the remarks from Leonardo

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Leonardo Gama
Level 1
Level 1

‎02-21-2017 10:15 AM

Hi,

Considering your current topology and the fact that your ASA has far more horsepower than 2911, I would remove the 2911 from the topology (less point of failure) and let all routing and NAT with the firewalls, logically if you do not need any fancy feature from ISR routers.

Moreover I would insert a redundant 3850 switch with the second ASA.

Cheers.

0 Helpful
Customers Also Viewed These Support Documents