I’ve seen quite a few issues throughout the years but one that I run into time and time again revolves around which device to set as the default gateway, in a DHCP scope, when you have both an internal router and Internet firewall on the same IP network. Should you set the router as the default gateway or should you set the firewall as the default gateway? Let’s use the topology below as a pretty simple example;
Theoretically this shouldn’t be an issue but I’ve seen it be an issue time and time again. This configuration usually results in performance issues because ICMP redirects are ignored, or never issued.
Cisco 2921 Router – Default Gateway
If we set the default gateway for the Windows 7 desktop/laptop to the Cisco 2921 Router then all traffic that’s not local to this network will be sent to that router. That includes traffic for other corporate networks and for Internet traffic. In theory the Cisco 2921 Router will forward traffic destined for corporate networks out over the WAN while it will forward traffic for Internet based destinations to the Cisco ASA 5505 firewall. When it forwards traffic to the Internet it will also issue an ICMP redirect to the Windows 7 Desktop/Laptop informing that device that 10.100.25.2 is a better destination for traffic to the Internet.
Cisco ASA 5505 – Default Gateway
If we set the default gateway for the desktop/laptop to the Cisco ASA 5505 firewall then all traffic that’s not destined for the Internet will still be sent toward the firewall. In the case of the Cisco ASA 5505, since it’s a firewall it won’t issue ICMP redirects to the desktop/laptop so all traffic will need to pass through the Cisco ASA 5505.
What’s the solution?
I’ll be honest and say I haven’t seen this too much lately and in smaller networks it doesn’t usually amount to much of a problem. In larger networks though I’ve seen a lot of performance issues around this scenario.So the easy solution is just don’t place the firewall on the same network segment as any of the desktops/laptops.
Have you ever run into this problem?
Cheers!