After finally getting my ASA5505 up and running (so I hope) I want to know what should be the placement of the firewall. SHould it be infront of the router and behind the internet or should it be behind the Csico 1800 router but infront of the LAN.
This is more complex than I am used to since most of what I have been doing as a CCNA has been with switching and routing but now I want to learn firewalls and to do that I want to set up a configuration on my LAN that will facilitate not only the switch and router but also the ASA5505.
My concern, however, is that since I use an ISP that treats the the FiOS router installed by Verizon as a DHCP client how should the ASA be placed.
You see, the way I envision this is that if the Firewall outside vlan IF connects to the inside IF of the 1800 router what should the outside IF of the ASA be configured as? Should it be static to inside IF of router which is set statically or should it be that the Routers outside Fe IF be set statically to the ASA Vlan inside IF which is static also.
I know this may seem confuing to you as it does me but if you can decipher what i am saying and help me that would be great. The ssoner the better, please.
Re: Need help with 1800 router with an ASA5505 as Firewall
8 years 8 months ago #33235
I believe you can really do it either ways. You can make the router sit at the edge between your network and the ISP with the ASA behind, or you can do vise versa with the router behind.
Which ever plan you choose, one issue to tackle is "who is going to do NAT?". I recommend the edge device to be the NATing one (i.e the device facing the internet).
What plan to choose is dependent on what you really want to do with the ASA and what license/modules you have on it. For example, it's obvious that if your connection to the ISP is via ADSL, then you would probably have to keep the 1800 at the edge simply because the ASA5505 doesn't come with an ADSL port.
Regardless of the plan, adding the ASA is going to add functionality here but NOT necessarily improving performance, remember, that your adding another stop/hop between you and the internet. This obviously adds some latency/slowness. One way around this is to place the ASA only before part of the network (which you want to have say more security features) and let the rest of the network be directly behind the 1800.
The 1800 already has some built in firewall and VPN capability, If you keep the router at the edge, Then, I would try to find out what the 1800 can't do, and place that one action on the ASA for the part of the network that needs it.