07-31-2009 09:58 PM - edited 03-04-2019 05:37 AM
Hi Experts,
It is design query. I have a setup like described below:
Internet-->cisco1841router-->ASA-->LAN
I have two Internet connection (ISP-1 & ISP-2) is connected to Cisco 1841 Router and this Router is connected to Cisco ASA Firewall and Firewall is connected to LAN
Which is the industry best practice to configure NAT on security perspective. Whether it is recommended to configure NAT on CISCO ROUTER or ASA Firewall in this regard.
Hope i described the requirement precisely. Looking for your valuable advice
sairam
08-01-2009 04:30 AM
if you have one static ip assigned from ur isp to u in this case u have no option other than do the nat in the router
however u can do duble nat i mean u do nating in the asa as well
for eaxmple
router -- 192.168.1.0--asa--10.1.1.0
you can nat 10.1.1.0 network and let the router see the traffic from inside netwrok as it coming from 192.168.1.0
but this is depends on ur security policy and requiremnt
practically if u do it in the router and u do filtering on the firewall wil be secure enough
hope this helps
08-01-2009 09:50 PM
Hi,
I have 16 IP address provided by ISP. I donot have restriction on ISP.
Then as per your statement,if NAT is not going to add any additional security functionality to the setup, then I will do NATing only in the router and ASA will be configured with "no nat-control"
am i aligned with? Thanks and expecting your feedback
sairam
08-01-2009 10:21 PM
As of now my setup sounds like this
Internet---Reuter----ASA----LAN
but planning to have two ISP terminating on the Internet Reuter.
Our ISP do not route each other subnets, so will publishing of website on ASA work,if one ISP fails.
Can get sample config help of Reuter to understand.
08-01-2009 10:22 PM
Yes this way is Ok
this way you will have tow layers of security
first is the oruter you will do the nating
and you can do generall pactfeltering in the router (optional)
i the ASA you have to do the second layer of securty which should involve packet-filtering with ACLs, application inspection
and advanced applicationa dnprotocoll inspection if required (optional) like tcp optimization, http url and header inspection and so on
good luck
Hope this helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: