Best place to NAT - Internet Router or ASA

bwilloby46 · ‎02-28-2009

Greetings All,

We are planning on revamping our internet connection to a DS3. This will require an upgrade in our internet facing router (currently 3662). We have purchased a 3845 ISR with NM-T3/E3. Currently our NATing is done on the internet facing router before the ASA with no NATing done on the ASA. I am not comfortable with this configuration but since we're planning on upgrading soon, i have not changed anything. A consultant was hired to do the internet router and ASA setup before i was with the company to do the work and he stated that "the NATing should be done on the Internet Router rather than the ASA. This eleminates issues when dealing with Firewall problems and NATing issues." I do not totally agree but I am open for suggestion.

My question is what is best practice for NATing? Should it be done outside the firewall on the internet facing router or the ASA? I like the fact of a single point of managment like the ASA for access and NATing and such. A little information on what is best practice or most practical would be great. Thanks.

JamesLuther · ‎02-28-2009

Hi,

I'm not sure that there are any best pratices for this, however every single company I've worked for has done thier NATing on the firewall.

Technically there isn't much to choose between the two options. However, as you've stated, it's preferable from a management perspective to create all of your rules in one place.

With reagard to his statement about firewall problems with NAT. I have observed some strange issues on firewalls with NAT, however this is rare and in very complex environments. Usually in such environements you re-design to layer your firewalls so each firewall is only doing one job, therfore eliminating these sorts of issues.

Regards

James

Jon Marshall · ‎03-01-2009

I agree with James, in all the environments i have worked we have done the Natting on the firewall. The only time i have seen Natting on the router is when the link between the router and firewall is using a private IP range and only the external interface of the router has a public IP.

One further point. Rather than introduce problems when Natting on the firewall it actually helps with certain things such as VPN's if you are terminating these on your ASA device.

Jon

cisco24x7 · ‎03-01-2009

Here is my 2c on this:

A- I would perform NAT'ing on the router rather than the ASA because NAT'ing on the router is so much easier without the risk of causing an outtage on your network. This is especially true if you have really complex NAT. You really do not want to take any chances on the ASA. If anyone disagree with this, I can give you a few examples on this:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc18b60

B- If your firewall is a Checkpoint firewall, I would definitely recommend NAT'ing on the Checkpoint. Lot of complex NAT'ing can be done with Checkpoint easily versus nothing but headache on the ASA.

Jon Marshall · ‎03-01-2009

David

Checkpoint aside, out of interest why do you say Natting is so much easier on a router than the ASA ?.

Did you ever get a working config for your ASA NAT in your link and if so how much harder is that config than the equivalent one for an IOS router ?

Jon

cisco24x7 · ‎03-01-2009

The big difference between router and ASA is that router has no concept of security level and that ASA does. This make NAT'ing much easier on IOS than on ASA.

I almost got the config to work on the ASA but the customer was not very happy about it so I moved the NAT'ing over to the router. On the router, the config took me a couple of hours to get it to work and that it was much easier than on the ASA

arvind.thevendriya · ‎03-01-2009

Hi,

I would go with Natting at the firewall.

But first an question?

1) Do you have any server facing internet?

2) Do you have anys servers sitting in DMZ?

I would go natting on ASA and only routing with External router.