This might be a nonsensical question but what is the main rationale in placing a router before your main internet firewall? (i.e. terminating internet connection on a router instead of your ASA)
I know with the 'router first' design you have the options of load balancing multiple internet connections i.e using bgp etc. and hardware redundancy i.e. HSRP etc.
Can't a pair of ASAs do the same? Or, is it that the 'router first' design is a security best pratice in the sense of an intruder has to get past the router before he can reach the firewall.. what are your thoughts?
Most people use routers because of the termination type. As I'm sure you know, the ASA only has Ethernet ports. The majority of business class internet connections require serial, ATM, DS-3, etc. Some companies also prefer to filter out all the 'junk' on the internet before it hits the firewall, so it work on what it's supposed to do instead of filter a bunch of unwanted traffic.
I would agree with Colin that interfaces have a lot to do with it, but another thing is that routers are made to route and firewalls made to firewall. Think about the amount of time and effort put into the software of the product. The routing functions of a router are much more thoroughly vetted over the routing functions of the firewall.
Overall there are just a lot of little things the firewall can not do that may end up causing a large headache in the long run depending on your specific network needs and potential growth.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...