Solved

Utilize Firewall on ISR when you have an ASA

Posted on 2014-02-01
5
541 Views
Last Modified: 2014-02-02
Hi, I have a couple of probably quick questions:
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.

2. My setup is as follows: Public Internet > Router > ASA  > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.

Thanks!
0
Comment
Question by:Psy4HA
  • 2
  • 2
5 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 400 total points
ID: 39827071
The impact of the CBAC on the router is really determined by how much traffic it has to actually inspect.  Cisco says that CBAC used 600bytes of memory per connection so you may want to take that in consideration. If  multi-tiered firewall is what you have to have I would probably put another ASA in the mix and just let the route do what it does best and route.

If you don't need mult-tier than just restrict as much traffic by ACL at the router and then any traffic that is allow is then inspected.
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 100 total points
ID: 39827981
I would suggest removing CBAC from the router and let the ASA do its intended job.
0
 

Author Comment

by:Psy4HA
ID: 39828452
Ok I should prolly tremove CBAC and implement control plane protection to protect router itself. Also thinking of adding an acl to public interfaces that permit all traffic but maybe only allow ssh from known Ips? If I add acl I think it's still cef switched and wouldn't add any load as I wouldn't needed inspection. Or maybe I do this all through cppr? Thanks all.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39828520
Yeah, as I stated. Use ACL's on the router to filter most traffic and then the traffic that is allowed in can be inspected by the ASA.
0
 

Author Closing Comment

by:Psy4HA
ID: 39828732
Looks like a good plan.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now