11-27-2011 07:36 PM - edited 03-04-2019 02:25 PM
I'm trying to figure out the best design for my network. I currently have a setup like this:
Internet - Cable Modem - Pix 515E (doing NAT) - 2621 - Internal Network
Now, should I have the 2621 as my edge device or the Pix? Just trying to get a good design or "best practice". Thanks for any help.
11-27-2011 09:17 PM
It is recommeded to have Pix FW as your edge device instead of router (interms of secure connectivity)
11-27-2011 09:20 PM
Hey Robert,
By Edge I assume you mean the box connected ot the internet.
I would ideally prefer a router as the edge to the internet. This because a internet connection can be terminated on PIX only on a ethernet media, while a router provides a wider choice of physical media that can be used (serial, FR, ATM etc).
Also a router provides a wider option for the IGP and BGP that can be run in the edge incase you need to in the future.
Considering the above, a router provides better scale than a PIX
If you are sure, that you are only going to use Ethernet (both on inside and outside) and simple routing protocols without a lot of churn, PIX would do just fine.
Hope this answers your questions.
Regards,
Anand
11-27-2011 09:23 PM
Hi,
I my opinion, Router should be the edge deice. then firewall, i mean PIX. this should help increase the application layer filtering.
HTH
thanks
vipin
11-27-2011 10:28 PM
Just to add to the above posts
Routers in most cases recommended to be placed in the edge with a firewall behind it for many reasons such
Routers much better in qos and qos policies
You can do packet filtering with simple ACLs and nating on the router and application inspection on the firewall which will give tow layers of security
Routers can run gre tunneling multipoint tunneling if you need it in the future like dmvpn
Routers better in routing than firewall because if you let the router dose routing and the firewall dose firewalling you network will reduce the load on the devices
Also routers can support different wan links like serial , 3G , ..etc
Hope this help
If helpful rate
11-28-2011 06:16 AM
OK, thanks for all of the input. I think I am going to put the 2621 at the edge and allow it to terminate my IPSEC tunnels for both site-to-site as well as remote users. Now, I've never done it before, but can the 2621 terminate Cisco VPN Clients or do I need to pass port 500 down to the PIX to handle that one? What I am seeing in my current setup is an extra 20-40 milliseconds of latency added on when I connect via Cisco VPN Client. Now, just going from hotel or whatever to my inside network isn't that bad. But, if I come into the pix and then go right back out a site-to-site vpn tunnel to somewhere else, I see an increase of around 20-40 milliseconds. Now, to me, that is crap. What do you think?
11-29-2011 04:06 AM
You can use the router if you have the relevant licensing for security and the router model can support the amount of VPN connections and encrypted traffic
By terminating the VPN in the router you will get the benefit of having VPN traffic to be inspected by the firewall as well
HTH
plz rate helpful posts
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide