Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Utilize Firewall on ISR when you have an ASA

Posted on 2014-02-01
5
Medium Priority
?
551 Views
Last Modified: 2014-02-02
Hi, I have a couple of probably quick questions:
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.

2. My setup is as follows: Public Internet > Router > ASA  > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.

Thanks!
0
Comment
Question by:Psy4HA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 1600 total points
ID: 39827071
The impact of the CBAC on the router is really determined by how much traffic it has to actually inspect.  Cisco says that CBAC used 600bytes of memory per connection so you may want to take that in consideration. If  multi-tiered firewall is what you have to have I would probably put another ASA in the mix and just let the route do what it does best and route.

If you don't need mult-tier than just restrict as much traffic by ACL at the router and then any traffic that is allow is then inspected.
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 400 total points
ID: 39827981
I would suggest removing CBAC from the router and let the ASA do its intended job.
0
 

Author Comment

by:Psy4HA
ID: 39828452
Ok I should prolly tremove CBAC and implement control plane protection to protect router itself. Also thinking of adding an acl to public interfaces that permit all traffic but maybe only allow ssh from known Ips? If I add acl I think it's still cef switched and wouldn't add any load as I wouldn't needed inspection. Or maybe I do this all through cppr? Thanks all.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39828520
Yeah, as I stated. Use ACL's on the router to filter most traffic and then the traffic that is allowed in can be inspected by the ASA.
0
 

Author Closing Comment

by:Psy4HA
ID: 39828732
Looks like a good plan.
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question