Unanswered Question
Jul 31st, 2009
User Badges:

Hi Experts,

It is design query. I have a setup like described below:


I have two Internet connection (ISP-1 & ISP-2) is connected to Cisco 1841 Router and this Router is connected to Cisco ASA Firewall and Firewall is connected to LAN

Which is the industry best practice to configure NAT on security perspective. Whether it is recommended to configure NAT on CISCO ROUTER or ASA Firewall in this regard.

Hope i described the requirement precisely. Looking for your valuable advice


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Sat, 08/01/2009 - 04:30
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if you have one static ip assigned from ur isp to u in this case u have no option other than do the nat in the router

however u can do duble nat i mean u do nating in the asa as well

for eaxmple

router --

you can nat network and let the router see the traffic from inside netwrok as it coming from

but this is depends on ur security policy and requiremnt

practically if u do it in the router and u do filtering on the firewall wil be secure enough

hope this helps

snarayanaraju Sat, 08/01/2009 - 21:50
User Badges:


I have 16 IP address provided by ISP. I donot have restriction on ISP.

Then as per your statement,if NAT is not going to add any additional security functionality to the setup, then I will do NATing only in the router and ASA will be configured with "no nat-control"

am i aligned with? Thanks and expecting your feedback


saquib.nawazz Sat, 08/01/2009 - 22:21
User Badges:

As of now my setup sounds like this


but planning to have two ISP terminating on the Internet Reuter.

Our ISP do not route each other subnets, so will publishing of website on ASA work,if one ISP fails.

Can get sample config help of Reuter to understand.

Marwan ALshawi Sat, 08/01/2009 - 22:22
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Yes this way is Ok

this way you will have tow layers of security

first is the oruter you will do the nating

and you can do generall pactfeltering in the router (optional)

i the ASA you have to do the second layer of securty which should involve packet-filtering with ACLs, application inspection

and advanced applicationa dnprotocoll inspection if required (optional) like tcp optimization, http url and header inspection and so on

good luck

Hope this helps


This Discussion