Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1921
Views
24
Helpful
8
Replies

Elminiate Internet border router with ASA

raymng
Level 1
Level 1

‎12-22-2011 11:48 AM - edited ‎03-11-2019 03:05 PM

Hi there,

Typically, our remote office has a WAN router with T1 Internet connection.  Then, we put an ASA behind the router LAN for firewall/NAT those kind of function.

Recently, we are planning to replace the T1 Internet connection with Ethernet 10Mbps Internet connection.  I am think to have the Ethernet Internet connection goes directly to the ASA external interface, elminiating the border router. 

Is this a common approach?  Any downside if I decide to go with this option?

Thank you.

-Raymond

Labels:
0 Helpful
8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-22-2011 11:53 AM

Hello Ray,

In fact this is a common approach talking about scenarios being used  using an ASA, this because the ASA can route, can nat, can be the end-termination of a vpn, etc,etc. And all of this also with the major security features not seeing before on  any firewal that will protect your internal network from the outside world.

So If you want to do it go for it, the ASA will work for this setup.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran
Level 4
Level 4
In response to Julio Carvajal

‎12-22-2011 01:01 PM

You need to THINK carefully before you are going to do this for several reasons:

- ASA can not terminate combination of GRE/IPSec,

- ASA can not do DMVPN or VTI,

- Complex QoS,

Therefore, if your plan include multicast over VPN, then you should NOT get rid of the router.

my 2c

raymng
Level 1
Level 1

‎12-22-2011 02:32 PM

Thank you both for your input.

Dave, thanks for the note about what ASA cannot do.  Fortunately in my case, I won't need to worry about these limitation in this case, but it is good to be aware of them for future case. 

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to raymng

‎12-22-2011 05:58 PM

Hello Raym,

My pleasure, please let me know if you have any other questions.

If not we can mark the question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

r.kukreja
Level 1
Level 1
In response to Julio Carvajal

‎12-22-2011 09:12 PM

but if u eliminate router you will not be able to do policing or bandwidth segregation. please rate if helpful

Regards,

rajat

Julio Carvajal
VIP Alumni
VIP Alumni
In response to r.kukreja

‎12-23-2011 09:26 AM

Hello R.kukreja,

You would be able to do policing or bandiwth limit on the ASA using the MPF.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran
Level 4
Level 4
In response to Julio Carvajal

‎12-23-2011 04:52 PM

"You would be able to do policing or bandiwth limit on the ASA using the MPF."

A German Porsche is NOT as same as a Toyota Camry.  They are both cars but the Porsche can do a lot of things that the Camry can not do.

The same goes with bw limit and policing on the ASA.  It can be done on the ASA but the router has much more flexibilities with these features. 

You can run ospf and BGP on the ASA too but you don't see many people do that, do you?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to david.tran

‎12-23-2011 05:54 PM

I do not argue that, it is 100 % correct, but you still will be able to do police bandwith on the ASA , eventough the Router is more flexible.

Thanks for the comment anyway

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card