cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
864
Views
4
Helpful
9
Replies

Best practices question

jason.cortes
Level 1
Level 1

HEy all,

I'm kinda new to this so here goes.

Is there a best pratices for wehter you should put your router inside or outside your F/W.

1 Accepted Solution

Accepted Solutions

Easily, actually. You can configure your firewall as a layer 2 device, so it doesn't even touch the IP information in the packet.

All, in all, honestly, as someone said above, it depends. The perfect solution is router -> firewall -> (DMZ)/router -> firewall -> corporate LAN

Your outside router can do basic natting for your DMZ servers and stuff. as well as some rough access control with access lists. The firewall behind the router can act either as a layer 2 or 3 device (I think), then your internal router actually does your PAT'ing for the corporate LAN and the firewall behind that has some really buttoned up access-lists (at least in my understanding).

View solution in original post

9 Replies 9

Thanks, so just make sure I'm reading this diagram correct it ISP-->Router-->FW-->LAN

Correct?

pciaccio
Level 4
Level 4

It would be a good practice to filter your traffic with a firewall first and then route your traffic internal to your network. Of course it all depends upon your requirements. You may want to route your traffic first if you are acting as an ISP. But the majority use the firewall first then route. You may have multiple firewalls within your network to segment for DMZ's. Hope this helps..Please rate...

Forgive me, Im sort of new at this.

If I put the router inside the FW and a user inside the network wants to get out to the internet how would the FW know where to send them?

Firewalls have very limited routing tables. They mainly route from static routes listed on the firewall. However Some high end firewalls (Cisco PIX and ASA) can use RIP to route traffic as well as static route.

Ok thats what I thought So if I need to be able to route user internet traffic as well(WWW.YZ.COM) I will need to put the router outside.

Easily, actually. You can configure your firewall as a layer 2 device, so it doesn't even touch the IP information in the packet.

All, in all, honestly, as someone said above, it depends. The perfect solution is router -> firewall -> (DMZ)/router -> firewall -> corporate LAN

Your outside router can do basic natting for your DMZ servers and stuff. as well as some rough access control with access lists. The firewall behind the router can act either as a layer 2 or 3 device (I think), then your internal router actually does your PAT'ing for the corporate LAN and the firewall behind that has some really buttoned up access-lists (at least in my understanding).

Thanks that answered my question.

Jason

If the router is inside the firewall then as mentioned you need either static routes or for it to particpate in a routing protocol. Here's an example

client(192.168.1.10) -> (192.168.1.1) router (192.168.2.1) -> (192.168.2.2) pix (217.20.10.1)

The client has a default gateway of the router (192.168.1.1) . The router has a default route pointing the pix inside interface 192.168.2.2.

the pix has a default route pointing to the upstream router, ie the one provided by your ISP very probably.

The pix also has a static route on it

route inside 192.168.1.0 255.255.255.0 192.168.2.1

This tells it how to send return traffic to the client.

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco