cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
739
Views
5
Helpful
1
Replies

ASR as an internet gateway? Seeking design advice.

johnsmunoz
Level 1
Level 1

I'm using an ASR-1001x (Cisco IOS XE Software, Version 03.16.02.S) at our COLO

 with 2 Microsoft Express Route circuits using BGP

 2 10G Wavelength links to our headquarters 

 1 Layer 2 VPLS circuit for our remote locations

 1 1G DIA internet circuit

 

Everything is working great but the DIA.  I'm able to use it as a DMZ gateway but not as an internet gateway for our headquarters (assuming I need to setup NAT).  I'm fairly new to the ASR family and usually use ASA's as gateways.  I'm half tempted to one of our ASA5555x's out there but I'd like to just have a single router out there.  

 

Looking for your suggestions.. what would be the best way to do this?

I'm guessing I may get more security by using the ASA as the gateway?  I'd probably have to add a SFP module to it since the 5555 only has copper on it.   

 

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Yes you can add asa firewall to have more security. However this isn't mandatory since you've an asr which is able to handle zbf (zone base firewall) with the right license. 

 

Using zbf, you will add the security your expecting unless you want to add specific feature like firepower.

 

I don't see specifics in your design, but you can create vrfs to have your different zones isolated and add a dynamic routing protocol like bgp to leak specific subnets that need to communicate each other. With zbf on top of this, you'll have a good security to protect your networks.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Yes you can add asa firewall to have more security. However this isn't mandatory since you've an asr which is able to handle zbf (zone base firewall) with the right license. 

 

Using zbf, you will add the security your expecting unless you want to add specific feature like firepower.

 

I don't see specifics in your design, but you can create vrfs to have your different zones isolated and add a dynamic routing protocol like bgp to leak specific subnets that need to communicate each other. With zbf on top of this, you'll have a good security to protect your networks.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question