I have a Cisco ASA doing NAT.
I have a 2801 with AIM VPN.
Should I place the external int of router outside of firewall and internal int of router in DMZ of ASA-then run IOS firewall on outside...or place the external int of router in DMZ of ASA and internal int of router in internal network-then do a one to one NAT to external int of router with ASA?? If I do the 2nd option, will I have headaches with NAT and IPSec tunnels? Specifically if I want to protect the public NAT'd IP address of servers in a DMZ instead of private so I don't have overlapping LANs....??
as i understood from ur sugestion that the ecrypted ipsec tuneel will go to the DMZ-1 to the router then after it got decrypted it go to the router inside interface then to the ASA dmz-2 finally to the asa inside interface toward the private network !
it is good for security but has cuple of disadvantages as u mentioned it will make higher performence on the firewall and it will consume more interfaces from and public ip adress
as i sujested before
and also it is sujested by sevral cisco security cources and design models
that is better to divide you network to security layer
so when you put the router in front of the fire wall it will considered as permiter router and at this stage you can allow only know good traffic (called security policy modle) and also terminate the vpn on it thus the vpn will go unencrypted to the firewall (the idea the same to urs) so the traffic of the vpn connection will proned to the firewall for inspection for example application inspection , additional packet filltering to the filltering done on the permiter router and mybe will be send to AIP-ssm IPS firewall model for signtures inspection ( called signture model that deny known bad traffic)
this is also will be part of security in depth deployment
thank you and rate if usefull