Solved

Utilize Firewall on ISR when you have an ASA

Posted on 2014-02-01
5
545 Views
Last Modified: 2014-02-02
Hi, I have a couple of probably quick questions:
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.

2. My setup is as follows: Public Internet > Router > ASA  > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.

Thanks!
0
Comment
Question by:Psy4HA
  • 2
  • 2
5 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 400 total points
ID: 39827071
The impact of the CBAC on the router is really determined by how much traffic it has to actually inspect.  Cisco says that CBAC used 600bytes of memory per connection so you may want to take that in consideration. If  multi-tiered firewall is what you have to have I would probably put another ASA in the mix and just let the route do what it does best and route.

If you don't need mult-tier than just restrict as much traffic by ACL at the router and then any traffic that is allow is then inspected.
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 100 total points
ID: 39827981
I would suggest removing CBAC from the router and let the ASA do its intended job.
0
 

Author Comment

by:Psy4HA
ID: 39828452
Ok I should prolly tremove CBAC and implement control plane protection to protect router itself. Also thinking of adding an acl to public interfaces that permit all traffic but maybe only allow ssh from known Ips? If I add acl I think it's still cef switched and wouldn't add any load as I wouldn't needed inspection. Or maybe I do this all through cppr? Thanks all.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39828520
Yeah, as I stated. Use ACL's on the router to filter most traffic and then the traffic that is allowed in can be inspected by the ASA.
0
 

Author Closing Comment

by:Psy4HA
ID: 39828732
Looks like a good plan.
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question