Where to perform NAT/PAT??

Answered Question
Jul 30th, 2009

Hi All,

I would like to know what is the best pratice when connecting an internal network to the internet. Internal users should be able to browse the internet plus services such as smtp, https etc.. that sits on the DMZ should be available to internet users.. Here is what I have..



Host PCs->Access SW->Core SW->ASA5520->2821RTR-Internet

I've seen a somewhat complicated design in the past where nat/pat was done on both the internet edge router and the asa behind it so i have some doubts about reusing this design.

a) Should I perform translation on the asa and internet router or can I simply terminate the internet connection on the edge router and use ACLs to filter the traffic then only perform translation on the ASA... Which is more secure or which do you prefer or, is it a case where it all depends on other aspects on the network topology??...

Any input is appreciated.


I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 3 months ago


You will have to use the router to do the translations if the ASA is using a private address on it's outside interface.

Private addresses are not routable on the internet so it would not work natting on the ASA as these addresses would never be reachable.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Collin Clark Thu, 07/30/2009 - 13:06

I would do it on the ASA. It's purposely built to do just that. I would create the rule set there as well. You can filter all the basic junk out on the router (icmp, rfc1918, broadcast,etc) to save resources on your ASA. I would hang the DMZ off the ASA as well to provide it security.

Jon Marshall Thu, 07/30/2009 - 13:16


As long as the ASA has a public IP address on the outside interface i agree with Collin, do the NAT on the ASA and control access via the ASA as well.


phlitservices Thu, 07/30/2009 - 13:57

Thanks for you input Jon and Collin... The ASA doesn't have a public ip as the ONLY public ip sits on the outside interface of the internet router (Outside interface of internet router is connected to a SWITCH/CPE device provided by the ISP, this device acts as the default gatey for the internet router)

I'm thinking that this shouldn't be a problem once incoming internet traffic is routed from the internet router to the ASA's outside interface, from there translation can begin.. Let me know if i'm correct..



Correct Answer
Jon Marshall Thu, 07/30/2009 - 14:05


You will have to use the router to do the translations if the ASA is using a private address on it's outside interface.

Private addresses are not routable on the internet so it would not work natting on the ASA as these addresses would never be reachable.


phlitservices Thu, 07/30/2009 - 15:22

Thank you Jon. In my haste to get away from from performing translation on the edge router I totally forgot about RFC 1918 :)


Collin Clark Fri, 07/31/2009 - 05:33

If your route-able address space is different that the IP subnet on your serial line, you can pass it to the ASA and it can have a public address on the outside.

phlitservices Fri, 07/31/2009 - 08:44

Basically the internet connection is a fiber link terminating on a switch provided by the ISP... Port fa0/0 from my edge router (2821) connects to an ethernet port on my ISP's switch. The following IP block is what belongs to me

IP address 2xx.x.x.50 to 54

Subnet Mask

Gateway 2xx.x.x.49

With this config I don't think it's possible to get away from natting on the internet router.

techdirusd491 Thu, 08/06/2009 - 20:28

I was curious if you have come up with a solution for this. I have a similar situation. My ISP is giving me an ethernet handoff from their PON (Passive Optical Network). They provide an ethernet connection and a public gateway IP address. I have a range of public IPS. I have a cisco 2811 router and a pix 515E. I have the 2811 running fine, can get on the Internet, etc. But I am getting lost on where to do the NAT and which port to move to our private IP scheme. I would rather Nat at the firewall rather than at the router. I would just like the router to route. What about not using the router and just hooking the outside port to the ISP connection?

I would love other thoughts on this.

Jon Marshall Fri, 08/07/2009 - 03:04


It depends on how much public address space you have. The ISP will route all traffic to that public address space to you. So you might be able to further subnet down the public address space and use part of it for the connection between your 2811 and the ISP and the rest to use on the firewall.

But obviously by further subnetting down the address space you lose some useable IP addresses.

In your case if you want to use the firewall and you have an ethernet handoff you could just connect the ethernet handoff directly into your firewall as you say.

Routers can be used to filter out some of the more obvious traffic before it gets to the firewall but a lot of the reason for using routers was because traditionally the connection provided by the ISP was not ethernet. Nowadays ethernet is becoming more common as a WAN/Internet handoff.


techdirusd491 Fri, 08/07/2009 - 08:18


Thank you for clarifying this for me. I thought this was the case, but I was not 100% sure. I am stuck in the old school serial days. We are moving from T-1's to PON and I just don't have the WAN knowledge that I should.

Thanks again.


This Discussion