Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3813
Views
0
Helpful
5
Replies

Nat in router or firewall?

Go to solution
Mhon Baul
Level 1
Level 1

‎03-19-2010 04:54 AM - edited ‎03-11-2019 10:23 AM

hi,

  could anyone confirm if doing the NAT in the router is better that doing it in a firewall?because someone told me this is the best practice from cisco.

My topology below:

CoreSwitch==>edge switch-->ASA-->Boarder router

Note: i have server in dmz configured in ASA and accessible thru internet.

thanks.

reymon

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Mhon Baul

‎03-19-2010 03:32 PM

I guess it really depends on what you will be using the NAT for, as there is a number of application inspection that ASA is more superior of.

For example:

You are NATing your FTP server, and ASA is configured to inspect FTP traffic so it will dynamically open a pin hole for the FTP data connection.

If you perform the same on the router, first of all, for tighter security, you would need to create access-list, and then either CBAC or ZBFW to inspect the traffic. Router main functionality is performing routing, with the above example, you have just added security feature on the router which is not very efficient since you already have ASA firewall.

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Mhon Baul

‎03-19-2010 03:38 PM

configuring policy nat, dynamic nat, nat exemption, outside nat, destination nat, static 1-1, policy static all of these can be easily done on the ASA.

I would say do the nat on the ASA and let the router do what is is betst to do which is routing.

-KS

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-19-2010 05:15 AM

Don't see the difference configuring it on router or ASA. Most people configured NAT on their ASA.

0 Helpful

Go to solution
Mhon Baul
Level 1
Level 1
In response to Jennifer Halim

‎03-19-2010 06:38 AM

Here is what they say:

Cisco Validated Design and best practices recommended dedicating only security features on the ASA. And they propose removing current NAT on the ASA and putting in on the router.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Mhon Baul

‎03-19-2010 03:32 PM

I guess it really depends on what you will be using the NAT for, as there is a number of application inspection that ASA is more superior of.

For example:

You are NATing your FTP server, and ASA is configured to inspect FTP traffic so it will dynamically open a pin hole for the FTP data connection.

If you perform the same on the router, first of all, for tighter security, you would need to create access-list, and then either CBAC or ZBFW to inspect the traffic. Router main functionality is performing routing, with the above example, you have just added security feature on the router which is not very efficient since you already have ASA firewall.

Hope that helps.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Mhon Baul

‎03-19-2010 03:38 PM

configuring policy nat, dynamic nat, nat exemption, outside nat, destination nat, static 1-1, policy static all of these can be easily done on the ASA.

I would say do the nat on the ASA and let the router do what is is betst to do which is routing.

-KS

0 Helpful

Go to solution
Mhon Baul
Level 1
Level 1
In response to Kureli Sankar

‎03-20-2010 05:57 AM

I agree to both of you:) Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card