07-25-2016 10:59 AM
Hi,
We have a ASA5515 behind a Router 3925.
Internet > Router > ASA > Switch
The ASA does just firewalling and site-to-site IPSec VPNs and the Router does NATing, PBR QoS etc.
I always found the Router unnecessary as the ASA can handle all the features supported by the Router. I want to get rid of the router. Any reason at all I should not? What is the best recommended practice regarding this design? I understand the design is completely based on a company's requirement but ours is a straight forward setup.
Any ideas are highly appreciated.
Thanks.
Solved! Go to Solution.
07-25-2016 07:40 PM
I'm an advocate for playing to the strengths of each.
Stateful firewall - ASA
NAT - ASA (not the router)
PBR and QoS - router
While the ASA can technically do them all, the router can route better and do other things like QOS a lot better.
When you exercise features used by only a small percentage of ASA customers you have a much greater likelihood of hitting service-affecting bugs in the code.
07-25-2016 07:40 PM
I'm an advocate for playing to the strengths of each.
Stateful firewall - ASA
NAT - ASA (not the router)
PBR and QoS - router
While the ASA can technically do them all, the router can route better and do other things like QOS a lot better.
When you exercise features used by only a small percentage of ASA customers you have a much greater likelihood of hitting service-affecting bugs in the code.
07-26-2016 07:19 PM
Thanks Marvin.
Regarding NAT, shouldn't NAT be on the router? I am comfortable using NAT on the router. I use route maps for load balancing traffic between the interfaces connected to 2 ISP connections. the Please explain benefits of NATing on the ASA instead.
Also in my topology, if NATing is done on the ASA will I have to move the ASA in front of the router?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: