[c-nsp] Router / Switch in front of Firewall

Tor-Ivar Kristoffersen tik at lufttransport.no
Sun May 11 09:51:38 EDT 2008


Hi all

This is my first post here, so I hope this gets in the right way :)

We have a 100mbit Internet Connection that we are building (this is a new line). We are setting in new eq. and we plan to move over 1 and 1 service.
We have a Fortigate 500A Firewall in front here, but we need to setup a router or switch or some other nice box in front of the firewall.
The reason for this is that we have a /21 net routed to this fw, but our supplier runs their eq. on 10.x.x.x IP's and they will not let their eq. be exposed by real ip's. So the issue for us comes when the FG500A is to communicate with the world, it sees that the default gw is on a 10.x.x.x. net and therefore uses it's own 10.x.x.x. assigned IP address for transmitting this. This naturally gets dropped by the isp.

Solution is to set a Cisco switch / router in front with 2 IF's. One with our legal IP and one with the 10.x address. This way this unit will become the default gw for our fg500a and will transmit with it's real ip address.

But that leaves the question as to which unit to use in front.

We have a couple of 2801 in stock, but they can't handle the traffic. We need something that can withstand an attack and at the same time deliver enough performance for the 100mb link.

All suggestions are welcomed , also if anyone has a similar setup and therefore has any hans on experience with such a front end that would also be great.

Thanks

Best regards
Tor-Ivar Kristoffersen
IT Consultant
Lufttransport AS

"Horsepower is how hard you hit the wall, torque is how long you take the wall with you"


More information about the cisco-nsp mailing list