A router behind the firewall is nice too. It insulates the firewall from direct end-user traffic. It also makes for a cleaner cutover from one firewall to another. (Instead of the edge getting stuck ARPs their perspective of the network remains unchanged.) It also allows for stateless ACLs on both ends of the firewall.
On Thu, Feb 5, 2015 at 1:49 PM, Ralph J.Mayer <rma...@nerd-residenz.de> wrote: > Hi David, > > a router is a router and a firewall is a firewall. > > Especially a Cisco ASA is no router, period. > > A router in front of the firewall is my choice, it also keeps broadcasts > from the firewall + can do uRPF. > > > rm
