07-30-2009 12:47 PM - edited 03-06-2019 07:01 AM
Hi All,
I would like to know what is the best pratice when connecting an internal network to the internet. Internal users should be able to browse the internet plus services such as smtp, https etc.. that sits on the DMZ should be available to internet users.. Here is what I have..
DMZ
|
Host PCs->Access SW->Core SW->ASA5520->2821RTR-Internet
I've seen a somewhat complicated design in the past where nat/pat was done on both the internet edge router and the asa behind it so i have some doubts about reusing this design.
a) Should I perform translation on the asa and internet router or can I simply terminate the internet connection on the edge router and use ACLs to filter the traffic then only perform translation on the ASA... Which is more secure or which do you prefer or, is it a case where it all depends on other aspects on the network topology??...
Any input is appreciated.
Donavan
Solved! Go to Solution.
07-30-2009 02:05 PM
Donavan
You will have to use the router to do the translations if the ASA is using a private address on it's outside interface.
Private addresses are not routable on the internet so it would not work natting on the ASA as these addresses would never be reachable.
Jon
07-30-2009 01:06 PM
I would do it on the ASA. It's purposely built to do just that. I would create the rule set there as well. You can filter all the basic junk out on the router (icmp, rfc1918, broadcast,etc) to save resources on your ASA. I would hang the DMZ off the ASA as well to provide it security.
07-30-2009 01:16 PM
Donavan
As long as the ASA has a public IP address on the outside interface i agree with Collin, do the NAT on the ASA and control access via the ASA as well.
Jon
07-30-2009 01:57 PM
Thanks for you input Jon and Collin... The ASA doesn't have a public ip as the ONLY public ip sits on the outside interface of the internet router (Outside interface of internet router is connected to a SWITCH/CPE device provided by the ISP, this device acts as the default gatey for the internet router)
I'm thinking that this shouldn't be a problem once incoming internet traffic is routed from the internet router to the ASA's outside interface, from there translation can begin.. Let me know if i'm correct..
Tks,
Donavan
07-30-2009 02:05 PM
Donavan
You will have to use the router to do the translations if the ASA is using a private address on it's outside interface.
Private addresses are not routable on the internet so it would not work natting on the ASA as these addresses would never be reachable.
Jon
07-30-2009 03:22 PM
Thank you Jon. In my haste to get away from from performing translation on the edge router I totally forgot about RFC 1918 :)
Donavan
07-31-2009 05:33 AM
If your route-able address space is different that the IP subnet on your serial line, you can pass it to the ASA and it can have a public address on the outside.
07-31-2009 08:44 AM
Basically the internet connection is a fiber link terminating on a switch provided by the ISP... Port fa0/0 from my edge router (2821) connects to an ethernet port on my ISP's switch. The following IP block is what belongs to me
IP address 2xx.x.x.50 to 54
Subnet Mask 255.255.255.248
Gateway 2xx.x.x.49
With this config I don't think it's possible to get away from natting on the internet router.
08-06-2009 08:28 PM
I was curious if you have come up with a solution for this. I have a similar situation. My ISP is giving me an ethernet handoff from their PON (Passive Optical Network). They provide an ethernet connection and a public gateway IP address. I have a range of public IPS. I have a cisco 2811 router and a pix 515E. I have the 2811 running fine, can get on the Internet, etc. But I am getting lost on where to do the NAT and which port to move to our private IP scheme. I would rather Nat at the firewall rather than at the router. I would just like the router to route. What about not using the router and just hooking the outside port to the ISP connection?
I would love other thoughts on this.
08-07-2009 03:04 AM
Ron
It depends on how much public address space you have. The ISP will route all traffic to that public address space to you. So you might be able to further subnet down the public address space and use part of it for the connection between your 2811 and the ISP and the rest to use on the firewall.
But obviously by further subnetting down the address space you lose some useable IP addresses.
In your case if you want to use the firewall and you have an ethernet handoff you could just connect the ethernet handoff directly into your firewall as you say.
Routers can be used to filter out some of the more obvious traffic before it gets to the firewall but a lot of the reason for using routers was because traditionally the connection provided by the ISP was not ethernet. Nowadays ethernet is becoming more common as a WAN/Internet handoff.
Jon
08-07-2009 08:18 AM
Jon,
Thank you for clarifying this for me. I thought this was the case, but I was not 100% sure. I am stuck in the old school serial days. We are moving from T-1's to PON and I just don't have the WAN knowledge that I should.
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: