Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Network diag

I have an existing setup as follows:

Internal LAN----Cisco 2611XM--------ISP

NAT overload has been done successfully on the cisco router.

Now, we wish to put a firewall in the existing setup which leaves us with two options as follows:

1>Internal LAN----Firewall-----Router----ISP

2>Internal LAN----Router-------Firewall----ISP

I want to know as to which one is more appropriate. The firewall(Gajshield) is an antivirus server as well and permits me to NAT also. Any suggestions? I have attached a diagram with this check for your reference.

4 REPLIES

Re: Network diag

Hi Farhan,

I think the best will be the first option. As if any traffic comes from ISP to your company let it get routes first and then filter on firewall.

Also I am not sure if your firewall has interfaces to connect to ISP directly and if it supports full routing and load balancing as routers does to send the traffic out towards ISP, in future if you plans for more ISP connection.

The first setup will be more flexible.

HTH

Ankur

New Member

Re: Network diag

Thanks Ankur,

Yes the firewall does have two network interfaces-one for the ISP and the other for LAN.

If the firewall supports full routing and load balancing between multiple ISP links, wouldn't it be appropriate to keep the router firewalled as well?

Re: Network diag

Hi Farhan,

Yes ofcourse if your firewall supports full routing feature you may opt for second option but it will not be very flexible as in future if you provision for one more ISP due to any reason you cannot use second option then andyou have to reconfigure your whole router and firewall.

Also using router directly to ISP as in first option if u anytime change services with ISP your router may support different modules for different services but your firewall may not.

HTH

Ankur

Purple

Re: Network diag

Hi Farhan,

I would go with option 1. My reasoning for that is:

- if you get a second ISP link, you can use the router to provide effective load-balancing

- if you choose to run BGP with your ISP at some point, the router is better equipped to handle this

On the flip side, having a firewall at the front means that you can filter out all *bad* traffic even before it gets to your router.

There are pros and cons either way you go, though..

Hope that helps - pls rate the post if it does.

Paresh

104
Views
6
Helpful
4
Replies