Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3266
Views
0
Helpful
2
Replies

Internet link on router or firewall

Go to solution
Manoj Wadhwa
Level 1
Level 1

‎03-02-2014 10:07 AM - edited ‎03-04-2019 10:29 PM

Dear Team,

I need suggestion on best practice of terminating internet link. The ISP provides Ethernet connection and I am evaluating the pros and cons between the following options

1. ISP Internet link ---> Internet Router ----> Firewall (NAT, DMZ, IPSec VPN, Remote Access VPN etc) ---> LAN

2. ISP Internet link ---> Firewall (NAT, DMZ, IPSec VPN, Remote Access VPN etc) ---> LAN

There will only be a default route to the ISP, QoS is not applicable.

In my opinion, using a router may give additonal flexibility and scalability if protocols like LACP, HSRP etc are required. However, if such features are not requried, it would be recommended to use firewall for terminating the internet link, but would like to know your opinion as well.

Your response will be highly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-02-2014 10:23 AM

A lot depends on the addressing ie. you ISP may well provide you with two IP subnets and these are -

1) a /30 for the point to point connection to their router

2) a larger public IP range for your NAT use

if you connect the ASA directly then you use the /30 for the outside interface of your ASA and then use the additional range for whatever you need

if you connect to the router first then you use the /30 for outside interface of your router. Then you either need to -

a) use two of the IPs in the additional range for the ASA to internal router interface so you have already used some IPs

or

b) use a private IP address range between your ASA and the router but this can effect VPN termination on your ASA so it is often simpler to make sure you have a public IP on the outside interface of your ASA.

If the handoff is ethernet, which it is, then you can obviously connect directly to the ASA. Routers however have more functionality. You have already mentioned QOS but another potentially very useful feature is PBR which ASAs do not support.

With one ISP connection PBR is not an issue. But lets say you decided you wanted a second connection for backup or you wanted to use both links. Then PBR on the router is very useful and this type of scenario often comes up on these forums ie. ASA with multiple ISP links and the need for PBR to be able to use both links.

There is no "correct" answer to this. If you are not planning on a second link and you do need any of the features a router could give you then it can be an additional cost you don't need and you can simply connect directly into the ASA.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-02-2014 10:23 AM

A lot depends on the addressing ie. you ISP may well provide you with two IP subnets and these are -

1) a /30 for the point to point connection to their router

2) a larger public IP range for your NAT use

if you connect the ASA directly then you use the /30 for the outside interface of your ASA and then use the additional range for whatever you need

if you connect to the router first then you use the /30 for outside interface of your router. Then you either need to -

a) use two of the IPs in the additional range for the ASA to internal router interface so you have already used some IPs

or

b) use a private IP address range between your ASA and the router but this can effect VPN termination on your ASA so it is often simpler to make sure you have a public IP on the outside interface of your ASA.

If the handoff is ethernet, which it is, then you can obviously connect directly to the ASA. Routers however have more functionality. You have already mentioned QOS but another potentially very useful feature is PBR which ASAs do not support.

With one ISP connection PBR is not an issue. But lets say you decided you wanted a second connection for backup or you wanted to use both links. Then PBR on the router is very useful and this type of scenario often comes up on these forums ie. ASA with multiple ISP links and the need for PBR to be able to use both links.

There is no "correct" answer to this. If you are not planning on a second link and you do need any of the features a router could give you then it can be an additional cost you don't need and you can simply connect directly into the ASA.

Jon

0 Helpful

Go to solution
Manoj Wadhwa
Level 1
Level 1
In response to Jon Marshall

‎03-02-2014 10:44 PM

Thanks Jon for your answer. That helps. Appreciate it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card