1841 with a ASA 5520

Answered Question

Do i need a router like 1841 on the perimeter with ASA 5520, to support any perimeter WAN services not supported by ASA 5520, i have 100 SSL VPN licenses, and a 2 MB fiber optics link requiring only IP connectivity. i have external fiber to copper media converters.

Correct Answer by Jon Marshall about 7 years 3 months ago

[email protected]


Thanks for the early response, jon this is the confusion because ASA firewalls do support OSPF,RIP and qos like LLQ and policing, the only reason i could find for a router could be, let the firewall do what it is made for and leave the QOS NAT and routing for the router. i could not find anything regarding the rightsizing of ASA if we enable advance services like NAT OSPF and QOS, does that hurt firewall capacity.


It can get a bit confusing these days as there is a lot of overlap in functionality in different devices


ASAs do support EIGRP/RIP/OSPF and certain QOS features but not necessarily the whole QOS feature set. But if you have a quick search on this site for ASA + PBR or ASA + load-balancing you'll see that there are basic router features that are just not available on the ASA. And PBR for example can be very useful in some cases.


It really comes down to does the ASA provide all of the functionlity you require. And do you want to firewall your WAN ? It's not clear what your topology is but if you have internet access and a separate WAN then often WANs are not firewalled.


As for sizing, the key thing with ASAs is number of licensed users and actual throughput of the firewall. NAT will not be an issue as virtually all firewall implementations are expected to perform NAT/PAT. Turning on routing does add an overhead but again not as important as key factors of throughput. The main factor is the speed of your internet connection, that is usually the limiting factor and not the actual firewall.


Apart from the WAN vs internet question if you don't see the need for a router then you probably don't need one at the moment. But that is why it's critical to have a full set of requirements before you purchase any hardware.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 02/08/2010 - 00:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Do i need a router like 1841 on the perimeter with ASA 5520, to support any perimeter WAN services not supported by ASA 5520, i have 100 SSL VPN licenses, and a 2 MB fiber optics link requiring only IP connectivity. i have external fiber to copper media converters.


Depends really. If you have WAN connections coming in from remote sites and the ASA is being used for access to internet then it would make sense to look into having a router for that. Routers are a lot more flexible than ASAs in terms of QOS, PBR etc. so you may find that for your WAN connections you need that additional flexibility.


If you only have an internet connection and you can present this as copper to the ASA then you really don't benefit much from adding a router into that topology.


Jon

Thanks for the early response, jon this is the confusion because ASA firewalls do support OSPF,RIP and qos like LLQ and policing, the only reason i could find for a router could be, let the firewall do what it is made for and leave the QOS NAT and routing for the router. i could not find anything regarding the rightsizing of ASA if we enable advance services like NAT OSPF and QOS, does that hurt firewall capacity.

Correct Answer
Jon Marshall Mon, 02/08/2010 - 01:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Thanks for the early response, jon this is the confusion because ASA firewalls do support OSPF,RIP and qos like LLQ and policing, the only reason i could find for a router could be, let the firewall do what it is made for and leave the QOS NAT and routing for the router. i could not find anything regarding the rightsizing of ASA if we enable advance services like NAT OSPF and QOS, does that hurt firewall capacity.


It can get a bit confusing these days as there is a lot of overlap in functionality in different devices


ASAs do support EIGRP/RIP/OSPF and certain QOS features but not necessarily the whole QOS feature set. But if you have a quick search on this site for ASA + PBR or ASA + load-balancing you'll see that there are basic router features that are just not available on the ASA. And PBR for example can be very useful in some cases.


It really comes down to does the ASA provide all of the functionlity you require. And do you want to firewall your WAN ? It's not clear what your topology is but if you have internet access and a separate WAN then often WANs are not firewalled.


As for sizing, the key thing with ASAs is number of licensed users and actual throughput of the firewall. NAT will not be an issue as virtually all firewall implementations are expected to perform NAT/PAT. Turning on routing does add an overhead but again not as important as key factors of throughput. The main factor is the speed of your internet connection, that is usually the limiting factor and not the actual firewall.


Apart from the WAN vs internet question if you don't see the need for a router then you probably don't need one at the moment. But that is why it's critical to have a full set of requirements before you purchase any hardware.


Jon

Actions

This Discussion