configuring router and firewall for Internet access

Unanswered Question
Jan 7th, 2008


I am configuring a 1721 router for Internet access for a branch office with 30 employees. There will be a ASA5505 firewall behind the 1721. The ISP has provided 14 public Ethernet IP addresses. Is it more efficient to perform PAT or NAT? Is it more efficient to perform PAT or NAT on the 1721 router or ASA5505 firewall?

We also have a MPLS network connected to the LAN switch on the above network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 01/07/2008 - 14:19

I don't think there is that much of a difference between NAT/PAT concerning resource consumption. I would start with PAT and keep those addresses in case you ever need to use them for hosting services (like email/www/etc). I prefer to NAT at the firewall and I would think the ASA would handle that better than the 1710.


Jon Marshall Mon, 01/07/2008 - 14:22

Use PAT for outbound traffic ie. your users accessing the Internet.

As Collin says, use static NAT to host services that you want people to be able to access from the Internet eg. mail/http.

Use the ASA.


saidfrh Mon, 01/07/2008 - 14:43

We have been provided a public LAN/Ethernet/Gateway IP address by the ISP. Which physical interface is the above assigned to, the Ethernet int on the 1721 perimiter router, or the E0 interface of the ASA5505 firewall?


Jon Marshall Mon, 01/07/2008 - 14:46


This should be assigned to the inside interface of your 1721. It should be out of the same subnet as 14 addresses provided to you by your ISP. The ASA then has a default route pointing to this IP address.


Collin Clark Mon, 01/07/2008 - 14:47

If the ISP is handing off ethernet, I see no need for the 1721 router (assuming it is not terminating any other connections like MPLS). I would plug it directly into the ASA.

Jon Marshall Mon, 01/07/2008 - 14:52


That's a very good point Collin. I was assuming that the 1721 was provided by the ISP.

If it isn't not only is there no need for the 1721 it will actually make it impossible to use the public addressing between the 1721 and the ASA.

As Collin says, if the 1721 is not ISP supplied and they are presenting ethernet just use the ASA.


saidfrh Mon, 01/07/2008 - 14:57

The ISP have assigned us a serial IP address to connect to their router using PPP encapsulation. We supply the perimeter router.

Jon Marshall Mon, 01/07/2008 - 14:58

Right, so they are not handing off ethernet ?.

If they are not presenting ethernet and you have a serial connection to the ISP go back to what i said in previous post.



This Discussion