Solved: Where to NAT?

mulhollandm · ‎07-10-2008

folks

i have a external router facing the internet

an ASA inside that

another firewall behind that and then my lan

i'll have my DMZs, www/smtp etc on my inner firewall along with a reverse proxy and a proxy for outbound http

my question

where should i nat outbound traffic

my instinct is on the firewall managing the dmz's as this box is better for logging etc

anyone any guidance/advice

thanks to anyone taking the time to reply

Patrick.Beaven · ‎07-10-2008

I would only nat in the firewall connected to the internet router. Natting on multiple firewalls will cause you problems in the future. If you are inspecting traffic you may have to disable or enable inspection of certain traffic types on each firewall. I you require active ftp you may need to enable inspection of ftp traffic on the firewall clossest to the source of the ftp client. I typically would not ever recommend using two or more firewalls inline.

View solution in original post

andrew.prince · ‎07-10-2008

Michael,

In my opinion it all depends on how many public IP addresses you have, and what you plan to face the internet (services, VPN etc)

Me personally, I would connect the firewall to the external router, have the ASA on a DMZ for VPN's etc.

Then the only place you have to NAT is on your outside firewall interface? for your internal & DMZ traffic. If you have a class c or even a /240 or below I would configure the DMZ with the ASA in - with a subset of the public range - then the only traffic needed to be NATT'd is internal only?

HTH.

mulhollandm · ‎07-10-2008

andrew

many thanks for your reply - greatly appreciated

i have the asa (5540) on the outside with a pretty simple rule base but the internal firewall is a bigger box which will host approx 8 - 10 dmz'z including an SSL VPN

my thoughts are that the bigger internal box provides better logging but then i'd lose visibilty of traffic on the outer firewall

thanks again

dhananjoy chowdhury · ‎07-10-2008

Hi,

If you are planning to do the NAT on the internal ASA FW box then you need to have two public IP pools :

- one between ASA1 outside and Inernet router

- other between ASA2 outside and ASA1 inside

<>---<>---<>---<>

Generally what we do is configure the ASA1 box in this scenario in Transparent mode (L2), which does the filtering for the permitted traffic at the 1st level of perimeter.

And the NAT, VPN and DMZ are configured on the ASA2 box. This config only requires one public IP pool.

andrew.prince · ‎07-10-2008

OK - that makes sense,

In this situation, as stated before, have the Big firewall facing the internet and the ASA in a DMZ. This allows you to control the flow of traffic with a higher degree. You could if you wanted to also use the Big firewall in a dule layer topology with the ASA for l2l & remote SSL VPN's.

As the big firewall has all the logging power - you can log Everything. For the ASA you have have a physical interface or VLAN interface for the outside of the ASA. And a physical or VLAN interface for the inside - you can control what comes into the ASA, and of course what comes out of it onto the internal network.

Or you can keep your setup as you suggest - you should not have to loose the logs from the ASA, just configure the large firewall to allow the syslogs thru to your internal syslog server?

HTH.

Patrick.Beaven · ‎07-10-2008

I would only nat in the firewall connected to the internet router. Natting on multiple firewalls will cause you problems in the future. If you are inspecting traffic you may have to disable or enable inspection of certain traffic types on each firewall. I you require active ftp you may need to enable inspection of ftp traffic on the firewall clossest to the source of the ftp client. I typically would not ever recommend using two or more firewalls inline.

mulhollandm · ‎07-10-2008

patrick and all those who read and replied

many thanks for your views

i've a few more thoughts and things to go over so again, many thanks