Introducing a router(2901) before ASA

Cisco_Imexsys · ‎06-11-2015

Hi,

Right now ASA is directly connected(Outside interface) to Internet and created rules to allow interesting traffic.

Is there any benefit to introduce a router(2901) infront of the ASA.ie Router will be connected to the internet and ASA will be connected to the router.

In this scenario, do we need to create nat rules on the router?

Regards,

Bineesh

Rejohn Cuares · ‎06-11-2015

It really depends on your setup and what services you are running. Here are few pros and cons.

Pros:

- If you are running multiservices like BGP, dual links, etc. it would be better to let the router handle this and make your Firewall dedicated security appliance doing NAT, VPNs, filtering, etc.

- Cisco ASA 5500-X Next Gen Firewalls don't support traffic shaping. Thus, you have to implement this on the router.

Cons:

- Additional public IP subnet between ASA and router.

- Requires more rack space and power outlets.

- More devices to administer.

- Adds another point of failure.

Please rate replies and mark question as "answered" if applicable.

Adeolu Owokade · ‎06-16-2015

Is there a reason why you are considering a router in front of the ASA since that things are working with your current setup? Perhaps you want to give more insight.

About the NAT rules: you don't need to move NAT to the router; you can keep it on the ASA but you will need to configure static routes on the router for the mapped addresses pointing towards the ASA so that the router knows how to forward the traffic. You can refer to this link ("Addresses on a unique network") for more information about this.