06-07-2007 11:14 AM - edited 03-03-2019 05:21 PM
HEy all,
I'm kinda new to this so here goes.
Is there a best pratices for wehter you should put your router inside or outside your F/W.
Solved! Go to Solution.
06-07-2007 11:38 AM
Easily, actually. You can configure your firewall as a layer 2 device, so it doesn't even touch the IP information in the packet.
All, in all, honestly, as someone said above, it depends. The perfect solution is router -> firewall -> (DMZ)/router -> firewall -> corporate LAN
Your outside router can do basic natting for your DMZ servers and stuff. as well as some rough access control with access lists. The firewall behind the router can act either as a layer 2 or 3 device (I think), then your internal router actually does your PAT'ing for the corporate LAN and the firewall behind that has some really buttoned up access-lists (at least in my understanding).
06-07-2007 11:17 AM
06-07-2007 11:23 AM
Thanks, so just make sure I'm reading this diagram correct it ISP-->Router-->FW-->LAN
Correct?
06-07-2007 11:24 AM
It would be a good practice to filter your traffic with a firewall first and then route your traffic internal to your network. Of course it all depends upon your requirements. You may want to route your traffic first if you are acting as an ISP. But the majority use the firewall first then route. You may have multiple firewalls within your network to segment for DMZ's. Hope this helps..Please rate...
06-07-2007 11:29 AM
Forgive me, Im sort of new at this.
If I put the router inside the FW and a user inside the network wants to get out to the internet how would the FW know where to send them?
06-07-2007 11:33 AM
Firewalls have very limited routing tables. They mainly route from static routes listed on the firewall. However Some high end firewalls (Cisco PIX and ASA) can use RIP to route traffic as well as static route.
06-07-2007 11:35 AM
Ok thats what I thought So if I need to be able to route user internet traffic as well(WWW.YZ.COM) I will need to put the router outside.
06-07-2007 11:38 AM
Easily, actually. You can configure your firewall as a layer 2 device, so it doesn't even touch the IP information in the packet.
All, in all, honestly, as someone said above, it depends. The perfect solution is router -> firewall -> (DMZ)/router -> firewall -> corporate LAN
Your outside router can do basic natting for your DMZ servers and stuff. as well as some rough access control with access lists. The firewall behind the router can act either as a layer 2 or 3 device (I think), then your internal router actually does your PAT'ing for the corporate LAN and the firewall behind that has some really buttoned up access-lists (at least in my understanding).
06-07-2007 11:40 AM
Thanks that answered my question.
06-07-2007 11:39 AM
Jason
If the router is inside the firewall then as mentioned you need either static routes or for it to particpate in a routing protocol. Here's an example
client(192.168.1.10) -> (192.168.1.1) router (192.168.2.1) -> (192.168.2.2) pix (217.20.10.1)
The client has a default gateway of the router (192.168.1.1) . The router has a default route pointing the pix inside interface 192.168.2.2.
the pix has a default route pointing to the upstream router, ie the one provided by your ISP very probably.
The pix also has a static route on it
route inside 192.168.1.0 255.255.255.0 192.168.2.1
This tells it how to send return traffic to the client.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide