we have recently purchased ASA 5505 and want to connect one with our 871 series router. so far 871 was our ADSL router and we would like to keep it.
our current setup (not working though) is:
871 ----- ASA 5505 ----- 2960 Switch ---- PCs, Servers (DHCP/DNS/SQL/Exchange/Backup).
we don't use DMZ so only two netowrks: 192.168.1.x/24 (871 <-> 5505) and 10.0.0.x/24 (5505 <-> inside lan).
before ASA 5505 was plugged in everything worked (users had internet, exchange was getting its emails).
in order to keep addressing in LAN we had to reconfigure 871 (by runnning startup wizard and assigning a new IP 192.168.1.1 to it).
ASA5505 was configured using startup wizard too: inside, outside networks, no DMZ, no DHCP on inside lan. however like i said when plugged in, there's no internet.
i was googling to see what we are missing, but due to lack of experience in networking wasn't able to find anything useful.
can some1 pls shed some light or advise where to read on the subject connection? books were ordered on Cisco IOS and Router's hardenning, but it will take time for them to arrive + read through.
many thanks for your replies.
The 5505 has better firewall and VPN performance. I don't think the router based firewalls are certified either so the government and sub-contractors are required to use certified firewalls like the ASA. In reality when I spec FW's for customers, I lean towards routers because routers have more features; unlimited users, Netflow, wireless, etc. Sometimes I have to spec a VPN-AIM card or a larger router, but it usually comes out cheaper than a lower end firewall with limited features or users. On the other hand, if the customer isn't doing anything special I always suggest an ASA. The are very stable and offer good performance.
A tiered firewall solution can be more secure, but it's used in certain situations. For example lets say you have a web based application that has an Oracle database on the backend. You would put a firewall on the outer most edge (like you're doing). In that 'inside' network you would put the web server. Since the data lives on another server, you put another firewall between the web server and the Oracle server to protect the database. Does that make sense?
Double bridging can be done but there is no benefit and it just introduces further complexity and another point of failure. I would use the linksys as a the pppoe client and the ASA as the only firewall. That way you have the 871 as a spare since it can act either the pppoe client or a firewall in case of a failure of either device.