cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
0
Helpful
4
Replies

NAT-ASA-ROUTER

snarayanaraju
Level 4
Level 4

Hi Experts,

It is design query. I have a setup like described below:

Internet-->cisco1841router-->ASA-->LAN

I have two Internet connection (ISP-1 & ISP-2) is connected to Cisco 1841 Router and this Router is connected to Cisco ASA Firewall and Firewall is connected to LAN

Which is the industry best practice to configure NAT on security perspective. Whether it is recommended to configure NAT on CISCO ROUTER or ASA Firewall in this regard.

Hope i described the requirement precisely. Looking for your valuable advice

sairam

4 Replies 4

Marwan ALshawi
VIP Alumni
VIP Alumni

if you have one static ip assigned from ur isp to u in this case u have no option other than do the nat in the router

however u can do duble nat i mean u do nating in the asa as well

for eaxmple

router -- 192.168.1.0--asa--10.1.1.0

you can nat 10.1.1.0 network and let the router see the traffic from inside netwrok as it coming from 192.168.1.0

but this is depends on ur security policy and requiremnt

practically if u do it in the router and u do filtering on the firewall wil be secure enough

hope this helps

Hi,

I have 16 IP address provided by ISP. I donot have restriction on ISP.

Then as per your statement,if NAT is not going to add any additional security functionality to the setup, then I will do NATing only in the router and ASA will be configured with "no nat-control"

am i aligned with? Thanks and expecting your feedback

sairam

As of now my setup sounds like this

Internet---Reuter----ASA----LAN

but planning to have two ISP terminating on the Internet Reuter.

Our ISP do not route each other subnets, so will publishing of website on ASA work,if one ISP fails.

Can get sample config help of Reuter to understand.

Yes this way is Ok

this way you will have tow layers of security

first is the oruter you will do the nating

and you can do generall pactfeltering in the router (optional)

i the ASA you have to do the second layer of securty which should involve packet-filtering with ACLs, application inspection

and advanced applicationa dnprotocoll inspection if required (optional) like tcp optimization, http url and header inspection and so on

good luck

Hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco