[TriLUG] OT: Router then Firewall

Ryan Leathers ryan.leathers at globalknowledge.com
Mon May 15 17:16:00 EDT 2006 

Steve,

You could keep your ASA and use it for all the stuff it does well.  Put
your 2500 or a 2600 or something right in front of it and set up your
route maps as before.

The ASA is a great security device.  If you have a crusty old Cisco
router (or anything else for that matter) that can handle your route map
needs then keep it in place to do that job.  Be sure to turn on CEF if
its available to you.

Ryan

On Mon, 2006-05-15 at 16:19 -0400, Steve Hoffman wrote:
> Can anyone suggest a decent router, that can also be used as a firewall with
> NAT?  I was able to set a cisco 2500 series router to route between two
> incoming connections by using route-maps.  I've recently purchased a Cisco
> ASA 5510 to add a little more protection and was assured at the time of
> purchase it could do what I needed..well, now I see that it can not.  If I
> have to purchase a second one I will, but I'd rather have a good router that
> can route between more then one inbound provider and restrict access to our
> public interfaces.
> 
> Here's what I want...
> 
> All addresses are private IP's on the internal network (10.0.0.0/24)
> 
> A total of two incoming internet connections with three separate IP ranges
> (2 /29's and 1 /28)
> 
> I'd prefer that all traffic go out via one default ip address UNLESS a NAT
> rule is setup to translate to one of the 24 available IP addresses, at which
> point the packet should go to the default gateway for that network....
> 
> I can't imagine I'm the first person to want this, but I guess I'm the first
> to want to do it with an ASA?  On the surface the ASA can do everything
> EXCEPT specify the next hop for an external internet connection.  It only
> allows for one default route and doesn't allow for a "set default next-hop
> xxx.xxx.xxx.xxx" as a router does...which shoots my whole plan to shit.
> I've considered using RIP or OSPF, but unfortunately one of our internet
> connections is a RR business class (hey..it's got great download speed)
> connection that I can't alter the routing info so that's out.
> 
> As always, your words of wisdom are welcome.
> 
> Thanks,
> Steve

More information about the TriLUG mailing list