I would like to know what is the best pratice when connecting an internal network to the internet. Internal users should be able to browse the internet plus services such as smtp, https etc.. that sits on the DMZ should be available to internet users.. Here is what I have..
Host PCs->Access SW->Core SW->ASA5520->2821RTR-Internet
I've seen a somewhat complicated design in the past where nat/pat was done on both the internet edge router and the asa behind it so i have some doubts about reusing this design.
a) Should I perform translation on the asa and internet router or can I simply terminate the internet connection on the edge router and use ACLs to filter the traffic then only perform translation on the ASA... Which is more secure or which do you prefer or, is it a case where it all depends on other aspects on the network topology??...
Any input is appreciated.
You will have to use the router to do the translations if the ASA is using a private address on it's outside interface.
Private addresses are not routable on the internet so it would not work natting on the ASA as these addresses would never be reachable.