nanog mailing list archives

Re: Dynamic routing on firewalls.

From: Nicholas Oas <nicholas.oas () gmail com>
Date: Thu, 5 Feb 2015 19:02:58 -0500

A router behind the firewall is nice too.
It insulates the firewall from direct end-user traffic.
It also makes for a cleaner cutover from one firewall to another. (Instead
of the edge getting stuck ARPs their perspective of the network remains
unchanged.)
It also allows for stateless ACLs on both ends of the firewall.


On Thu, Feb 5, 2015 at 1:49 PM, Ralph J.Mayer <rmayer () nerd-residenz de>
wrote:

Hi David,

a router is a router and a firewall is a firewall.

Especially a Cisco ASA is no router, period.

A router in front of the firewall is my choice, it also keeps broadcasts
from the firewall + can do uRPF.


rm

Current thread:

Re: Dynamic routing on firewalls., (continued)
- - - Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
    - Re: Dynamic routing on firewalls. Rich Kulawiec (Feb 09)
    - Re: Dynamic routing on firewalls. Eugeniu Patrascu (Feb 09)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 08)
    - Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
    - Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
    - Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
  - Re: Dynamic routing on firewalls. Nicholas Oas (Feb 05)
- Re: Dynamic routing on firewalls. Craig (Feb 08)
  - RE: Dynamic routing on firewalls. Tony Wicks (Feb 08)