Adtran TA612 / SonicWall TZ190 / Cisco Router connection advice

Current network layout is:

DSL Modem -> SonicWall -> Cisco 2950 -> LAN

The DSL modem is in bridge mode and the SonicWall is pulling the current static IP and handling NAT.

We just had out new T1 installed today with an Adtran TA612 handling voice and data. The ISP has given us a class A block with a /29 mask.

I'm wanting to add a Cisco 2621XM in the mix for a couple of reasons. I'd like to move NAT to the Cisco and also I need to throttle the bandwidth so my streaming audio users don't hog it all.

Should I put the Cisco behind or in front of the firewall? Do I assign an address out of my block to each device or use private addresses?

I keep getting my self confused with this many devices connected inline.

Sam
Indy197902Asked:
Who is Participating?
 
Hugh FraserConsultantCommented:
I always prefer to have the firewall exposed to the Internet (that's what it was designed for) and leave the switches and routers to do those functions without having to worry about low-level IP hacker tactics. In this context, I'd be installing the router behind the firewall.

Since you have been using the firewall for NAT, I presume your address space internally is probably 192.168, or one of the other non-routable address spaces. You know have a routeable address space to play with, but beware of the pitfalls and unforeseen problems that come from re-addressing all the infrastructure you already have. Inevitably, you incur more downtime and hidden problems than expected. So if your environment is anything non-trivial, I would not suggest re-addressing.

There may be an issue, though. If you move NAT to the new router, you need to check first to see if the firewall has any rules based upon IP address. At this time, it sees all the internal address space, but NAT on the router reduce the traffic to a single address. So while you can certainly use the router for traffic shaping, I'd suggest leaving NAT to the firewall.

It's always easier if you have a greenfield site.
0
 
Indy197902Author Commented:
Ok, I just went ahead and took the router out of the mix and let the firewall face the internet and provide all the NAT. I didn't see any loss of performance on the internet, so I guess we aren't producing enough traffic to overload the firewall.

Thanks for the insight.

Sam
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.