I will do my best to try to explain it with a high level view hopefully I do not confuse you any further. Hope this clarifies it a first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet.
In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks. In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet.
How to configure lan and wan asa 5505 cisco serial#
If the Router is connected to the ISP via serial link or responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea. Router and ASA placement depends on certain variables. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further.Īs mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Netgear I first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. He had a consumer based router/wifi that was placed behind the 1841 and it served as the firewall and nat as well for his personal network. I know one time for a teleworker that needed a cisco ip phone at there house we set up a 1841 with a site to site vpn to HQ that had nat enabled, nat exempt rules and acl's for the tunnel and the personal network. Sometimes you have to be a bit creative to get a working solution. There isn't one right way to do something it really depends on the parameters of the network and the available equipment. Thats why as per Cisco it marks an internet edge router as the "untrusted know everyone keeps replying with, "it depends on the design" but its true. If you configure NAT on the edge router and not on the firewall then that means an outside attacker can attack your router and get access to the internal network. The router is not good for using as a firewall to many holes. When working with a firewall the security polices can protect the NAT entries such as static nat which maps an internal ip address to the external ip address. As stated earlier it really depends on the design. One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT?
It all depends, as mentioned above, on network design and needs. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties. Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. With that being said firewall have limitations as they don't suppose advanced routing protocols. However while the above is typical you can place a firewall on a secondary ISP connection for VPN access (or a firewall-to-firewall tunnel) or web services like payment servers and such that need security on top of flow control. If you don't manage the router, you still place it after the router. If you manage the router to the dmarc with the ISP handoff then you place it typically after the router with, like mentioned above, the default gateway being the router. ASA placement also depends upon if you manage the router or if the ISP manages the router.
0 kommentar(er)
