Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Best practices question

HEy all,

I'm kinda new to this so here goes.

Is there a best pratices for wehter you should put your router inside or outside your F/W.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Best practices question

Easily, actually. You can configure your firewall as a layer 2 device, so it doesn't even touch the IP information in the packet.

All, in all, honestly, as someone said above, it depends. The perfect solution is router -> firewall -> (DMZ)/router -> firewall -> corporate LAN

Your outside router can do basic natting for your DMZ servers and stuff. as well as some rough access control with access lists. The firewall behind the router can act either as a layer 2 or 3 device (I think), then your internal router actually does your PAT'ing for the corporate LAN and the firewall behind that has some really buttoned up access-lists (at least in my understanding).

9 REPLIES
Bronze
New Member

Re: Best practices question

Thanks, so just make sure I'm reading this diagram correct it ISP-->Router-->FW-->LAN

Correct?

Silver

Re: Best practices question

It would be a good practice to filter your traffic with a firewall first and then route your traffic internal to your network. Of course it all depends upon your requirements. You may want to route your traffic first if you are acting as an ISP. But the majority use the firewall first then route. You may have multiple firewalls within your network to segment for DMZ's. Hope this helps..Please rate...

New Member

Re: Best practices question

Forgive me, Im sort of new at this.

If I put the router inside the FW and a user inside the network wants to get out to the internet how would the FW know where to send them?

Silver

Re: Best practices question

Firewalls have very limited routing tables. They mainly route from static routes listed on the firewall. However Some high end firewalls (Cisco PIX and ASA) can use RIP to route traffic as well as static route.

New Member

Re: Best practices question

Ok thats what I thought So if I need to be able to route user internet traffic as well(WWW.YZ.COM) I will need to put the router outside.

Bronze

Re: Best practices question

Easily, actually. You can configure your firewall as a layer 2 device, so it doesn't even touch the IP information in the packet.

All, in all, honestly, as someone said above, it depends. The perfect solution is router -> firewall -> (DMZ)/router -> firewall -> corporate LAN

Your outside router can do basic natting for your DMZ servers and stuff. as well as some rough access control with access lists. The firewall behind the router can act either as a layer 2 or 3 device (I think), then your internal router actually does your PAT'ing for the corporate LAN and the firewall behind that has some really buttoned up access-lists (at least in my understanding).

New Member

Re: Best practices question

Thanks that answered my question.

Hall of Fame Super Blue

Re: Best practices question

Jason

If the router is inside the firewall then as mentioned you need either static routes or for it to particpate in a routing protocol. Here's an example

client(192.168.1.10) -> (192.168.1.1) router (192.168.2.1) -> (192.168.2.2) pix (217.20.10.1)

The client has a default gateway of the router (192.168.1.1) . The router has a default route pointing the pix inside interface 192.168.2.2.

the pix has a default route pointing to the upstream router, ie the one provided by your ISP very probably.

The pix also has a static route on it

route inside 192.168.1.0 255.255.255.0 192.168.2.1

This tells it how to send return traffic to the client.

HTH

Jon

292
Views
4
Helpful
9
Replies
CreatePlease to create content