Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
6
Helpful
4
Replies

Network diag

farhan_p2000
Level 1
Level 1

‎02-02-2006 02:38 AM - edited ‎03-03-2019 01:40 AM

I have an existing setup as follows:

Internal LAN----Cisco 2611XM--------ISP

NAT overload has been done successfully on the cisco router.

Now, we wish to put a firewall in the existing setup which leaves us with two options as follows:

1>Internal LAN----Firewall-----Router----ISP

2>Internal LAN----Router-------Firewall----ISP

I want to know as to which one is more appropriate. The firewall(Gajshield) is an antivirus server as well and permits me to NAT also. Any suggestions? I have attached a diagram with this check for your reference.

Labels:
Preview file
830 KB
0 Helpful
4 Replies 4

ankurbhasin
Level 9
Level 9

‎02-02-2006 03:02 AM

Hi Farhan,

I think the best will be the first option. As if any traffic comes from ISP to your company let it get routes first and then filter on firewall.

Also I am not sure if your firewall has interfaces to connect to ISP directly and if it supports full routing and load balancing as routers does to send the traffic out towards ISP, in future if you plans for more ISP connection.

The first setup will be more flexible.

HTH

Ankur

farhan_p2000
Level 1
Level 1
In response to ankurbhasin

‎02-02-2006 03:13 AM

Thanks Ankur,

Yes the firewall does have two network interfaces-one for the ISP and the other for LAN.

If the firewall supports full routing and load balancing between multiple ISP links, wouldn't it be appropriate to keep the router firewalled as well?

0 Helpful

ankurbhasin
Level 9
Level 9
In response to farhan_p2000

‎02-02-2006 03:20 AM

Hi Farhan,

Yes ofcourse if your firewall supports full routing feature you may opt for second option but it will not be very flexible as in future if you provision for one more ISP due to any reason you cannot use second option then andyou have to reconfigure your whole router and firewall.

Also using router directly to ISP as in first option if u anytime change services with ISP your router may support different modules for different services but your firewall may not.

HTH

Ankur

0 Helpful

pkhatri
Level 11
Level 11

‎02-02-2006 03:04 AM

Hi Farhan,

I would go with option 1. My reasoning for that is:

- if you get a second ISP link, you can use the router to provide effective load-balancing

- if you choose to run BGP with your ISP at some point, the router is better equipped to handle this

On the flip side, having a firewall at the front means that you can filter out all *bad* traffic even before it gets to your router.

There are pros and cons either way you go, though..

Hope that helps - pls rate the post if it does.

Paresh

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card