Re: A little confused about using a ASA 5510 with 1941W Router

pinnaclecsg · ‎10-24-2010

Thank you in advance for any tips because I have totally confused myself now

I am trying to upgrade our network and follow some of the Cisco best practices. We also have another office we will bring online in a few months.

We currently have a 1941W ISR Router in a base configuration. The router connects to our cable modem which is done by Ethernet connection on gigabit interface 1 and the LAN is connected to gigabit interface 2, then on to the switch, finally all the computers and servers connect at the switch or just the basic: Modem -> 1941W router -> Switch-> Servers and Computers

We are having some growth and I want to change the configuration and add a ASA 5510, a web server, e-mail security appliance and web security appliance.

Under my current understanding the best practice would be to: modem -> 1941 router -> switch -> ASA 5510........... and then at that point one one ethernet connection on the ASA 5510 I could create a DMZ for the Web Server and E-mail Security Appliance (iron port)

On the other connection I would go to another switch and head off to my internal network where the web security appliance would be however I am confused.

Based on what I have read in the support community is the 1941W Router even needed any more? If not what do I lose if anything? I guess I am confused because I thought you always needed a router in the configuration of a network and I was having trouble trying to figure out if I did you both devices where would the VPN connection come since they both could handles the function. I tried looking at some of the docs on the Cisco site for design guidelines and I got lost some more

Any help would be greatly appreciated.

Thanks

Cory M

Jon Marshall · ‎10-24-2010

Cory

Based on what I have read in the support community is the 1941W Router even needed any more? If not what do I lose if anything? I guess I am confused because I thought you always needed a router in the configuration of a network and I was having trouble trying to figure out if I did you both devices where would the VPN connection come since they both could handles the function. I tried looking at some of the docs on the Cisco site for design guidelines and I got lost some more

Simple answer is no you don't necessarily need a router. One of the main reasons for having a router was often because the termination offered by your provider was not ethernet and therefore you could not terminate the connection directly to the ASA as they only support ethernet. Also depending on your public addressing provided to you by your ISP it may not be easy to integrate the ASA and the router. It really depends on the size of the subnet allocated to you.

What do you lose. Well a router can support things such a PBR (Policy Based Routing) and 2 equal default-routes out of separate interfaces etc. which your ASA cannot. However if you only have one internet connection coming in and you have no plans to upgrade for redundancy then the ASA will perform perfectly well. You can do all your NAT and VPN termination on the ASA device.

Bear in mind that a router can also be a firewall if you run the right feature set but personlly if you want a firewall my advice would be to go with a dedicated firewall device such as the ASA.

So to summarise, you don't have to use a router, it is not mandatory. If the ISP hands you an ethernet termination then it is perfectly valid to connect that straight to the ASA. The ASA is not as multipurpose as a router but that is not necessarily a bad thing.

Jon

gatlin007 · ‎10-24-2010

My 2 cents.

The ASA is an OK firewall but a terrible router.

With the proper feature set the 1941 router is a great router and good firewall. The router can do everything the ASA does and more. The ASA can only do a subset of what the router can do. Go with the router and never look back.

The ASA's strength is when firewalling and/or encryption is better served on a unique piece of hardware. Typically not the case in small to medium networks.

Chris

Jon Marshall · ‎10-25-2010

gatlin007 wrote:

My 2 cents.

The ASA is an OK firewall but a terrible router.

With the proper feature set the 1941 router is a great router and good firewall. The router can do everything the ASA does and more. The ASA can only do a subset of what the router can do. Go with the router and never look back.

The ASA's strength is when firewalling and/or encryption is better served on a unique piece of hardware. Typically not the case in small to medium networks.

Chris

Chris

I agree that the ASA is not a good router but i don't see how this relates to this question. If the design was to run inter-vlan routing off the ASA then i would be in total agreement with you but unless the LAN interface of the router is running 802.1q then no routing is need internally. If it is then you could either -

1) use a L3 switch which may well be the case already

2) deploy the 1941 inside the LAN for inter-vlan routing. I'm not a huge fan of using a router to do this though as it is very inefficient compared to even a low end L3 switch.

The question was primarily concerned with whether you needed a router on the outside of the ASA and i think you don't if the termination is ethernet.

I guess we all have different experiences but i would argue that if you want a firewall use a firewall. A router can do a lot more things and for that read a lot more code and with more code comes more bugs. Bugs are not really what you want in the device protecting your company from the internet.

Performance is also an interesting one. A router will run the firewall feature set in software (unless this has changed) whereas an ASA is a dedicated applicance with a lot more throughput. I've never been a hige fan of the firewall feature set on router because it's an add-on rather than it's primary purpose.

Like i say, not trying to argue, more discuss really about the pros and cons of each.

Jon

pinnaclecsg · ‎10-25-2010

Chris and Jon,

Thanks for the advice! I means alot, I got ALOT of good clarification!

I decided to go with the ASA 5510 and my perlim setup is........

outside ethernet: ISP Modem

DMZ Ethernet: Layer 2 switch, then off to the web server and email security appliance

internal Ethernet: Layer 3 switch (which connects to the severs (database, email, etc) and another switch for desktop computers,etc.)

Jon, I was going to put a Layer 3 switch but wanted to be sure I was putting in right spot.

I was looking at some Cisco docs and I just got confused. I just saw one that has a "outside switch" that the ISP Modem would connect to and the ASA 5510 would connect to that.

Thanks again many times over for your help

Cory

Jon Marshall · ‎10-25-2010

pinnaclecsg wrote:

Chris and Jon,

Thanks for the advice! I means alot, I got ALOT of good clarification!

I decided to go with the ASA 5510 and my perlim setup is........

outside ethernet: ISP Modem

DMZ Ethernet: Layer 2 switch, then off to the web server and email security appliance

internal Ethernet: Layer 3 switch (which connects to the severs (database, email, etc) and another switch for desktop computers,etc.)

Jon, I was going to put a Layer 3 switch but wanted to be sure I was putting in right spot.

I was looking at some Cisco docs and I just got confused. I just saw one that has a "outside switch" that the ISP Modem would connect to and the ASA 5510 would connect to that.

Thanks again many times over for your help

Cory

Yes, a L3 switch would be used in the LAN for routing between vlans.

You can use a switch on the outside to connect the modem to the ASA if you want but if you don't have any other devices you need there you could just as easily connect the modem straight to the ASA. Then have a L2 switch just for the DMZ.

Jon