We are planning on revamping our internet connection to a DS3. This will require an upgrade in our internet facing router (currently 3662). We have purchased a 3845 ISR with NM-T3/E3. Currently our NATing is done on the internet facing router before the ASA with no NATing done on the ASA. I am not comfortable with this configuration but since we're planning on upgrading soon, i have not changed anything. A consultant was hired to do the internet router and ASA setup before i was with the company to do the work and he stated that "the NATing should be done on the Internet Router rather than the ASA. This eleminates issues when dealing with Firewall problems and NATing issues." I do not totally agree but I am open for suggestion.
My question is what is best practice for NATing? Should it be done outside the firewall on the internet facing router or the ASA? I like the fact of a single point of managment like the ASA for access and NATing and such. A little information on what is best practice or most practical would be great. Thanks.