Solved: Router in front of a Firewall necessary?

NInja Black · ‎07-25-2016

Hi,

We have a ASA5515 behind a Router 3925.

Internet > Router > ASA > Switch

The ASA does just firewalling and site-to-site IPSec VPNs and the Router does NATing, PBR QoS etc.

I always found the Router unnecessary as the ASA can handle all the features supported by the Router. I want to get rid of the router. Any reason at all I should not? What is the best recommended practice regarding this design? I understand the design is completely based on a company's requirement but ours is a straight forward setup.

Any ideas are highly appreciated.

Thanks.

Marvin Rhoads · ‎07-25-2016

I'm an advocate for playing to the strengths of each.

Stateful firewall - ASA

NAT - ASA (not the router)

PBR and QoS - router

While the ASA can technically do them all, the router can route better and do other things like QOS a lot better.

When you exercise features used by only a small percentage of ASA customers you have a much greater likelihood of hitting service-affecting bugs in the code.

View solution in original post

Marvin Rhoads · ‎07-25-2016

I'm an advocate for playing to the strengths of each.

Stateful firewall - ASA

NAT - ASA (not the router)

PBR and QoS - router

While the ASA can technically do them all, the router can route better and do other things like QOS a lot better.

When you exercise features used by only a small percentage of ASA customers you have a much greater likelihood of hitting service-affecting bugs in the code.

NInja Black · ‎07-26-2016

Thanks Marvin.

Regarding NAT, shouldn't NAT be on the router? I am comfortable using NAT on the router. I use route maps for load balancing traffic between the interfaces connected to 2 ISP connections. the Please explain benefits of NATing on the ASA instead.

Also in my topology, if NATing is done on the ASA will I have to move the ASA in front of the router?