• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 753
  • Last Modified:

Adtran TA612 / SonicWall TZ190 / Cisco Router connection advice

Current network layout is:

DSL Modem -> SonicWall -> Cisco 2950 -> LAN

The DSL modem is in bridge mode and the SonicWall is pulling the current static IP and handling NAT.

We just had out new T1 installed today with an Adtran TA612 handling voice and data. The ISP has given us a class A block with a /29 mask.

I'm wanting to add a Cisco 2621XM in the mix for a couple of reasons. I'd like to move NAT to the Cisco and also I need to throttle the bandwidth so my streaming audio users don't hog it all.

Should I put the Cisco behind or in front of the firewall? Do I assign an address out of my block to each device or use private addresses?

I keep getting my self confused with this many devices connected inline.

Sam
0
Indy197902
Asked:
Indy197902
1 Solution
 
Hugh FraserConsultantCommented:
I always prefer to have the firewall exposed to the Internet (that's what it was designed for) and leave the switches and routers to do those functions without having to worry about low-level IP hacker tactics. In this context, I'd be installing the router behind the firewall.

Since you have been using the firewall for NAT, I presume your address space internally is probably 192.168, or one of the other non-routable address spaces. You know have a routeable address space to play with, but beware of the pitfalls and unforeseen problems that come from re-addressing all the infrastructure you already have. Inevitably, you incur more downtime and hidden problems than expected. So if your environment is anything non-trivial, I would not suggest re-addressing.

There may be an issue, though. If you move NAT to the new router, you need to check first to see if the firewall has any rules based upon IP address. At this time, it sees all the internal address space, but NAT on the router reduce the traffic to a single address. So while you can certainly use the router for traffic shaping, I'd suggest leaving NAT to the firewall.

It's always easier if you have a greenfield site.
0
 
Indy197902Author Commented:
Ok, I just went ahead and took the router out of the mix and let the firewall face the internet and provide all the NAT. I didn't see any loss of performance on the internet, so I guess we aren't producing enough traffic to overload the firewall.

Thanks for the insight.

Sam
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now