Traffic from the ISP may not come on a Ethernet Interface. The further you push the attack back from your core the better. So if the router can halt the incoming attack it means the firewall is free for the complex work.
ALSO(optional)>>>>to not have your F/W do the NAT too.
Other off-load reasons>>>>
- stateless pkt filtering, as Conwyn mentions, just to" choke" some bad traffic
- Traffic Policing/Shaping and other QoS/CoS actions on in/out traffic
Hey there David
you are welcome m8.
One more that just came up in mind>>>>
Policy-based Routing(PBR) functionality, especially useful when the NATting point is the outside-zone choke router too. Many vendor Firewalls don't really support this very useful feature for multihoming and general traffic engineering. They instead support policy-based NAT, but there are meaningful use-case differences (eg PBR match by traffic-type or ToS/precedence values and set/change these CoS/QoS values right before the egress forwarding) as you can understand.
I would agree with points from previous posts that sometimes connection on media other than Ethernet is a reason for a router outside the firewall. Also that being able to discard obviously not legitimate traffic before it gets to the firewall lets the firewall focus its resources on traffic that is likely to matter more. And I like the suggestion that PBR may be a desirable feature and is not supported on many firewalls. Let me also suggest two other reasons why you might choose to put router(s) in front of the firewall:
- some people will choose to put a router in front of the firewall so that it can run a routing protocol over the outside connection. Until very recently the ASA did not support BGP and so if you wanted to run BGP with a provider you could not do that on the firewall. And some people prefer to have their firewall focus on filtering traffic and not to try to do much in the way of routing activity.
- some firewalls, particularly the ASA, do not support active connection to multiple outside connections. They do fine with a single default route (and maybe a backup default to another next hop) but do not actively use more than one. I worked with a customer recently who was implementing a multi homed connection from his network to two ISPs. They have an ASA firewall and chose to put routers in front of the firewall so that they could maintain active connections to both providers and to actively share traffic on both connections.