networker050184 wrote: » Best place depends on what the goals of the network are.
sucanushie wrote: » Generally your ASA is going to secure you edge. At least at the CCNA level. So you might see you your outside interface of your ASA connected to the internet, which is generally a router. The inside interface can be connected to a switch. The ASA will have a default route with the next hop of your router's IP, as well as NAT and all of your hosts on the inside would have their default gateway set to the inside interface of the ASA. I hope that makes sense.
Robbo777 wrote: » One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT? Thanks
Deathmage wrote: » Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties.
dmarcisco wrote: » @Robo When first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further. As mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Router and ASA placement depends on certain variables. There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea. If the Router is responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet. The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks. In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). LAN>ASA>internet. In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet. (LAN>ASA>ISP) Hope this clarifies it a bit.
volfkhat wrote: » Now there's a practical application :] So which device is allowing the "WAN party" capabilities? Is it the 1941 Router, or is it the SonicWall? For instance, if i wanted to have a Wan-Party with you; which would i need first?
Hondabuff wrote: » Once you try a Palo Alto Firewall, You will never attempt to manage a network with an ASA ever again.
JoJoCal19 wrote: » Please, expound upon that. I have no experience with Palo Alto FWs.
Robbo777 wrote: » Okay I'm going to go with putting the router first because of its routing capabilities. What are the main functions i can use the asa for then? NAT Policy maps Inside and Outside zones I know there are more features but with me not knowing them, are there any more i should be implementing into the asa that are paramount? I have one more question about NAT as well, if i'm natting the private addresses at the asa, then how is the router going to know where to send the reply traffic to? I just cant quite wrap my head around WHY we need to NAT with the asa (why not just NAT with the router?) and how the router then understands what to do with it and then where to send the reply traffic. Thanks again
Hondabuff wrote: » If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.
Dieg0M wrote: » Most ASA's do not even support BGP or IGP or do but have a hard time handling full internet routing tables.
