06-24-2009 04:44 PM - edited 03-11-2019 08:47 AM
Hi All,
This might be a nonsensical question but what is the main rationale in placing a router before your main internet firewall? (i.e. terminating internet connection on a router instead of your ASA)
I know with the 'router first' design you have the options of load balancing multiple internet connections i.e using bgp etc. and hardware redundancy i.e. HSRP etc.
Can't a pair of ASAs do the same? Or, is it that the 'router first' design is a security best pratice in the sense of an intruder has to get past the router before he can reach the firewall.. what are your thoughts?
Donavan
06-25-2009 05:57 AM
Most people use routers because of the termination type. As I'm sure you know, the ASA only has Ethernet ports. The majority of business class internet connections require serial, ATM, DS-3, etc. Some companies also prefer to filter out all the 'junk' on the internet before it hits the firewall, so it work on what it's supposed to do instead of filter a bunch of unwanted traffic.
06-25-2009 07:13 PM
I would agree with Colin that interfaces have a lot to do with it, but another thing is that routers are made to route and firewalls made to firewall. Think about the amount of time and effort put into the software of the product. The routing functions of a router are much more thoroughly vetted over the routing functions of the firewall.
Overall there are just a lot of little things the firewall can not do that may end up causing a large headache in the long run depending on your specific network needs and potential growth.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: