We are planning on revamping our internet connection to a DS3. This will require an upgrade in our internet facing router (currently 3662). We have purchased a 3845 ISR with NM-T3/E3. Currently our NATing is done on the internet facing router before the ASA with no NATing done on the ASA. I am not comfortable with this configuration but since we're planning on upgrading soon, i have not changed anything. A consultant was hired to do the internet router and ASA setup before i was with the company to do the work and he stated that "the NATing should be done on the Internet Router rather than the ASA. This eleminates issues when dealing with Firewall problems and NATing issues." I do not totally agree but I am open for suggestion.
My question is what is best practice for NATing? Should it be done outside the firewall on the internet facing router or the ASA? I like the fact of a single point of managment like the ASA for access and NATing and such. A little information on what is best practice or most practical would be great. Thanks.
I'm not sure that there are any best pratices for this, however every single company I've worked for has done thier NATing on the firewall.
Technically there isn't much to choose between the two options. However, as you've stated, it's preferable from a management perspective to create all of your rules in one place.
With reagard to his statement about firewall problems with NAT. I have observed some strange issues on firewalls with NAT, however this is rare and in very complex environments. Usually in such environements you re-design to layer your firewalls so each firewall is only doing one job, therfore eliminating these sorts of issues.
I agree with James, in all the environments i have worked we have done the Natting on the firewall. The only time i have seen Natting on the router is when the link between the router and firewall is using a private IP range and only the external interface of the router has a public IP.
One further point. Rather than introduce problems when Natting on the firewall it actually helps with certain things such as VPN's if you are terminating these on your ASA device.
A- I would perform NAT'ing on the router rather than the ASA because NAT'ing on the router is so much easier without the risk of causing an outtage on your network. This is especially true if you have really complex NAT. You really do not want to take any chances on the ASA. If anyone disagree with this, I can give you a few examples on this:
The big difference between router and ASA is that router has no concept of security level and that ASA does. This make NAT'ing much easier on IOS than on ASA.
I almost got the config to work on the ASA but the customer was not very happy about it so I moved the NAT'ing over to the router. On the router, the config took me a couple of hours to get it to work and that it was much easier than on the ASA
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...