- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Cisco security perimeter!! :( [bcc][faked-from] posted 03/28/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

There are ISPs now that are bringing in connectivity via Ethernet or

Stefan - what methods of delivery is your ISP providing connectivity?  T1?
DSL? E1?  Cablemodem? ISDN (sigh)? Fiber? Ethernet/FastEthernet?

If your ISP is providing an Ethernet or FastEthernet connection, then you can (more than likely) ditch the customer Border Router in the design below. Depending on how your ISP operates and what kind of service they provide (manged vs. unmanaged) they may want a device which they can have enable access to. (In which case you might not want to give them access to your Firewall/ASA if they provide an ethernet connection of some sort, and through a border router in there regardless!)

The standard Cisco design looks like this:

Firewall (PIX or ASA)
Customer L3 Switch (or in the past, another router to route between internal
private networks)

Brad Ellis
CCIE#5796 (R&S / Security)
Network Learning Inc - A Cisco Learning Partner (CLP)
YES! We take Cisco Learning credits!
brad@xxxxxxxxxxxxxx (Cisco Training and Advanced Technology Rental Racks)
Voice: 702-968-5100
FAX: 702-446-8012

----- Original Message ----- From: "Sheahan, John" <John.Sheahan@xxxxxxxxxxxxx>
To: "Stefan Grey" <examplebrain@xxxxxxxxxxx>; <ccielab@xxxxxxxxxxxxxx>
Sent: Tuesday, March 28, 2006 9:07 AM
Subject: RE: Cisco security perimeter!! :( [bcc][faked-from]

Perhaps your presales engineer is just trying to make the point that you
need to terminate your internet circuit on a router before you get to a
Pix/ASA. There is no way to bring a circuit directly into the Pix/ASA.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Stefan Grey
Sent: Tuesday, March 28, 2006 11:56 AM
To: ccielab@xxxxxxxxxxxxxx
Subject: Cisco security perimeter!! :(

Hello guys.

Receive from the ISP internet link, vpn link, maybe some other. Then
the perimeter security.

1. Idea 1. Just to put ASA/PIX on the perimeter and than connect it to
local switch.

1. My senior presales engenier told me that it is a bad solution. And he

didn't saw such a design before. He tells that always is done so: the
on the perimeter and than the router itself is connected with the
or ASA. He told that the router is needed to configure the shaping and
avoid some headaches.

Could you please explain why 1st design is bad. Why shaping is so
on the perimeter router. Why this router is needed and which bad things
could I receive if I build design 1. (with just one ASA or PIX).

Any help highly appreciated.

Find accommodation FAST with MSN Search!

Subscription information may be found at:

Subscription information may be found at: