Why have a router at internet's edge??

Unanswered Question
Jun 24th, 2009
User Badges:

Hi All,

This might be a nonsensical question but what is the main rationale in placing a router before your main internet firewall? (i.e. terminating internet connection on a router instead of your ASA)

I know with the 'router first' design you have the options of load balancing multiple internet connections i.e using bgp etc. and hardware redundancy i.e. HSRP etc.

Can't a pair of ASAs do the same? Or, is it that the 'router first' design is a security best pratice in the sense of an intruder has to get past the router before he can reach the firewall.. what are your thoughts?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Collin Clark Thu, 06/25/2009 - 05:57
User Badges:
  • Purple, 4500 points or more

Most people use routers because of the termination type. As I'm sure you know, the ASA only has Ethernet ports. The majority of business class internet connections require serial, ATM, DS-3, etc. Some companies also prefer to filter out all the 'junk' on the internet before it hits the firewall, so it work on what it's supposed to do instead of filter a bunch of unwanted traffic.

plumbis Thu, 06/25/2009 - 19:13
User Badges:
  • Silver, 250 points or more

I would agree with Colin that interfaces have a lot to do with it, but another thing is that routers are made to route and firewalls made to firewall. Think about the amount of time and effort put into the software of the product. The routing functions of a router are much more thoroughly vetted over the routing functions of the firewall.

Overall there are just a lot of little things the firewall can not do that may end up causing a large headache in the long run depending on your specific network needs and potential growth.


This Discussion