Re: Router Vs Firewall as the last gateway to the internet

George-Sl · ‎07-07-2020

What is the most common implementation you have seen in productions for Firewalls(Firepower, ASA) placement, as far as the last gateway to the internet goes,
are they usually being put behind an ASR(router) or we put the ASR behind the Firewall? which leads me to the next question, do you usually see that the router does the NAT or the Firewall?

What if we need to have Evpns and DMVPN, firewalls can't do that..., so firewall can't be placed in front of the network then?!
I guess one way to resolve this issue is to do an IP to IP NAT for the DMVPN's tunnel underlay ip address from the firewall to the inside interface where ASR is located?!

Thanks a lot

Jon Marshall · ‎07-08-2020

If you have both firewalls and routers then the firewall is usually behind the router and the NAT generally would be done on the firewalls.

If you add DMVPN into it then you the above setup would need modification ie. you may need extra routers on a DMZ, you may put a firewall on your router etc.

All depends on the rest of the design and the most important thing to most companies, budget.

Jon

George-Sl · ‎07-09-2020

Hello,

Could you elaborate a bit more on my questions, I don't need no configs obviously, I really need to figure this firewall placement out and the method, thank you so much(and we don't have no budget limit in this instance)

1) How can the Nat be done by the Firewall that is behind the router?! so we would need to NAT it again on the router exit as well(two times NAT)?

2)

A. correct me if I am wrong I thought you just said we put the firewall behind the router then why should we put a DMVPN router inside the DMZ which is behind a firewall(Security level 50)?

B. You're referring to an ASA module on ASR?

that shouldn't be able to replace a single(or multi) chassis firepower(or FTD) I believe?!