Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
5
Helpful
4
Replies

Need Suggestion On Best Practice Solution

Go to solution
pauzi123@
Level 1
Level 1

‎02-21-2017 02:50 AM

Hello,

Im currently in midst of optimizing site network that have more than 4100 users (currently). I would like know whether is it better to put:

  1. Firewall in-front of router OR
  2. Router in-front of firewall

My Firewall is ASA 5508-X (FirePower)

My Router is Cisco 2911-HSEC+/K9

Currently the router is handling only NAT-ing. The memory utilization is 79%

I attached current overall drawing for the site.

Labels:
Preview file
494 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leonardo Gama
Level 1
Level 1

‎02-21-2017 10:15 AM

Hi,

Considering your current topology and the fact that your ASA has far more horsepower than 2911, I would remove the 2911 from the topology (less point of failure) and let all routing and NAT with the firewalls, logically if you do not need any fancy feature from ISR routers.

Moreover I would insert a redundant 3850 switch with the second ASA.

Cheers.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marce1000
VIP
VIP

‎02-21-2017 07:39 AM

  - Your keyword 'in-front of' is undefined because it can be explained in 2 ways; it's better to have the router at the real edge, and only let it  handle routing; you should handle NAT on the firewall to take advantage of using firewalling properties/actions  when doing NAT.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
pauzi123@
Level 1
Level 1
In response to marce1000

‎02-21-2017 07:24 PM

Thank you for the information. What i mean by in front is, is better to put firewall or router first?

My current setup is firewall first having public IP, the router is connected at the firewall.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to pauzi123@

‎02-21-2017 11:51 PM

  - Check the remarks from Leonardo

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Leonardo Gama
Level 1
Level 1

‎02-21-2017 10:15 AM

Hi,

Considering your current topology and the fact that your ASA has far more horsepower than 2911, I would remove the 2911 from the topology (less point of failure) and let all routing and NAT with the firewalls, logically if you do not need any fancy feature from ISR routers.

Moreover I would insert a redundant 3850 switch with the second ASA.

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents