Cisco ASA network topology

dereksters · ‎11-21-2017

Trying to figure out the best placement for a Cisco ASA 5508-X in our network that already has a Cisco 2900 router in place for the edge WAN and some internal Cisco Catalyst core and distro switches.

In a dilemma whether we should place the ASA in front of the router or behind it? There has been no documented best practice so based on all your experience which works well and is best practice in your environment?

I'm an advocate in leveraging each appliance's or device's key strengths so was thinking of letting the router do what it does best, which is routing and GRE tunnels, and leave the ACLs/filtering/IDS/IPS/IPsec tunneling/etc. of course in the ASA. But ideally where do we NAT (router vs ASA) on either of the options below?...

Option 1. (internal) -- (Cisco ASA 5508-X) -- (Cisco Router 2900) -- [internet]

Option 2. (internal) -- (Cisco Router 2900) -- (Cisco ASA 5508-X) -- [internet]

Thanks and would appreciate feedback. Would also appreciate sample configurations to supplement if any.

Karsten Iwen · ‎11-22-2017

I would consider two more options:

Place both outside interfaces of the router and ASA onto the internet and the router inside interface in an ASA-DMZ
Place the router on a stick in an ASA-DMZ

dereksters · ‎11-22-2017

Hi Karsten, do you mind putting that out in a diagram like what I did with my post? Also, any reason why I'd want the router and ASA outside interfaces facing out the WAN both? Thing is if I do that though I will have to put a layer 2 switch before them to split out the WAN connection. Thanks.