Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1769
Views
5
Helpful
2
Replies

Router in front of a Firewall necessary?

Go to solution
NInja Black
Level 1
Level 1

‎07-25-2016 10:59 AM

Hi,

 We have a ASA5515 behind a Router 3925.

Internet > Router > ASA > Switch

The ASA does just firewalling and site-to-site IPSec VPNs and the Router does NATing, PBR QoS etc. 

I always found the Router unnecessary as the ASA can handle all the features supported by the Router. I want to get rid of the router. Any reason at all I should not? What is the best recommended practice regarding this design? I understand the design is completely based on a company's requirement but ours is a straight forward setup. 

Any ideas are highly appreciated.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-25-2016 07:40 PM

I'm an advocate for playing to the strengths of each.

Stateful firewall - ASA

NAT - ASA (not the router)

PBR and QoS - router

While the ASA can technically do them all, the router can route better and do other things like QOS a lot better.

When you exercise features used by only a small percentage of ASA customers you have a much greater likelihood of hitting service-affecting bugs in the code.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-25-2016 07:40 PM

I'm an advocate for playing to the strengths of each.

Stateful firewall - ASA

NAT - ASA (not the router)

PBR and QoS - router

While the ASA can technically do them all, the router can route better and do other things like QOS a lot better.

When you exercise features used by only a small percentage of ASA customers you have a much greater likelihood of hitting service-affecting bugs in the code.

0 Helpful

Go to solution
NInja Black
Level 1
Level 1
In response to Marvin Rhoads

‎07-26-2016 07:19 PM

Thanks Marvin.  

Regarding NAT, shouldn't NAT be on the router? I am comfortable using NAT on the router. I use route maps for load balancing traffic between the interfaces connected to 2 ISP connections. the Please explain benefits of NATing on the ASA instead.

Also in my topology, if NATing is done on the ASA will  I have to move the ASA in front of the router?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents