Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why have a router at internet's edge??

Hi All,

This might be a nonsensical question but what is the main rationale in placing a router before your main internet firewall? (i.e. terminating internet connection on a router instead of your ASA)

I know with the 'router first' design you have the options of load balancing multiple internet connections i.e using bgp etc. and hardware redundancy i.e. HSRP etc.

Can't a pair of ASAs do the same? Or, is it that the 'router first' design is a security best pratice in the sense of an intruder has to get past the router before he can reach the firewall.. what are your thoughts?



Re: Why have a router at internet's edge??

Most people use routers because of the termination type. As I'm sure you know, the ASA only has Ethernet ports. The majority of business class internet connections require serial, ATM, DS-3, etc. Some companies also prefer to filter out all the 'junk' on the internet before it hits the firewall, so it work on what it's supposed to do instead of filter a bunch of unwanted traffic.


Re: Why have a router at internet's edge??

I would agree with Colin that interfaces have a lot to do with it, but another thing is that routers are made to route and firewalls made to firewall. Think about the amount of time and effort put into the software of the product. The routing functions of a router are much more thoroughly vetted over the routing functions of the firewall.

Overall there are just a lot of little things the firewall can not do that may end up causing a large headache in the long run depending on your specific network needs and potential growth.