Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
5
Helpful
1
Replies

ASR as an internet gateway? Seeking design advice.

Go to solution
johnsmunoz
Level 1
Level 1

‎06-20-2018 08:25 AM - edited ‎03-05-2019 10:37 AM

I'm using an ASR-1001x (Cisco IOS XE Software, Version 03.16.02.S) at our COLO

 with 2 Microsoft Express Route circuits using BGP

 2 10G Wavelength links to our headquarters 

 1 Layer 2 VPLS circuit for our remote locations

 1 1G DIA internet circuit

 

Everything is working great but the DIA.  I'm able to use it as a DMZ gateway but not as an internet gateway for our headquarters (assuming I need to setup NAT).  I'm fairly new to the ASR family and usually use ASA's as gateways.  I'm half tempted to one of our ASA5555x's out there but I'd like to just have a single router out there.  

 

Looking for your suggestions.. what would be the best way to do this?

I'm guessing I may get more security by using the ASA as the gateway?  I'd probably have to add a SFP module to it since the 5555 only has copper on it.   

 

Labels:
Preview file
114 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-21-2018 05:59 PM

Hi

 

Yes you can add asa firewall to have more security. However this isn't mandatory since you've an asr which is able to handle zbf (zone base firewall) with the right license. 

 

Using zbf, you will add the security your expecting unless you want to add specific feature like firepower.

 

I don't see specifics in your design, but you can create vrfs to have your different zones isolated and add a dynamic routing protocol like bgp to leak specific subnets that need to communicate each other. With zbf on top of this, you'll have a good security to protect your networks.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-21-2018 05:59 PM

Hi

 

Yes you can add asa firewall to have more security. However this isn't mandatory since you've an asr which is able to handle zbf (zone base firewall) with the right license. 

 

Using zbf, you will add the security your expecting unless you want to add specific feature like firepower.

 

I don't see specifics in your design, but you can create vrfs to have your different zones isolated and add a dynamic routing protocol like bgp to leak specific subnets that need to communicate each other. With zbf on top of this, you'll have a good security to protect your networks.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents