configuring router and firewall for Internet access

Unanswered Question
Jan 7th, 2008
User Badges:

Hi,

I am configuring a 1721 router for Internet access for a branch office with 30 employees. There will be a ASA5505 firewall behind the 1721. The ISP has provided 14 public Ethernet IP addresses. Is it more efficient to perform PAT or NAT? Is it more efficient to perform PAT or NAT on the 1721 router or ASA5505 firewall?


We also have a MPLS network connected to the LAN switch on the above network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 01/07/2008 - 14:19
User Badges:
  • Purple, 4500 points or more

I don't think there is that much of a difference between NAT/PAT concerning resource consumption. I would start with PAT and keep those addresses in case you ever need to use them for hosting services (like email/www/etc). I prefer to NAT at the firewall and I would think the ASA would handle that better than the 1710.


HTH

Jon Marshall Mon, 01/07/2008 - 14:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Use PAT for outbound traffic ie. your users accessing the Internet.


As Collin says, use static NAT to host services that you want people to be able to access from the Internet eg. mail/http.


Use the ASA.


Jon

saidfrh Mon, 01/07/2008 - 14:43
User Badges:

We have been provided a public LAN/Ethernet/Gateway IP address by the ISP. Which physical interface is the above assigned to, the Ethernet int on the 1721 perimiter router, or the E0 interface of the ASA5505 firewall?

Thanks.

Jon Marshall Mon, 01/07/2008 - 14:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


This should be assigned to the inside interface of your 1721. It should be out of the same subnet as 14 addresses provided to you by your ISP. The ASA then has a default route pointing to this IP address.


Jon

Collin Clark Mon, 01/07/2008 - 14:47
User Badges:
  • Purple, 4500 points or more

If the ISP is handing off ethernet, I see no need for the 1721 router (assuming it is not terminating any other connections like MPLS). I would plug it directly into the ASA.

Jon Marshall Mon, 01/07/2008 - 14:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


That's a very good point Collin. I was assuming that the 1721 was provided by the ISP.


If it isn't not only is there no need for the 1721 it will actually make it impossible to use the public addressing between the 1721 and the ASA.


As Collin says, if the 1721 is not ISP supplied and they are presenting ethernet just use the ASA.


Jon

saidfrh Mon, 01/07/2008 - 14:57
User Badges:

The ISP have assigned us a serial IP address to connect to their router using PPP encapsulation. We supply the perimeter router.

Jon Marshall Mon, 01/07/2008 - 14:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Right, so they are not handing off ethernet ?.


If they are not presenting ethernet and you have a serial connection to the ISP go back to what i said in previous post.


Jon

Actions

This Discussion