Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Nat or Router vs ASA


What would be the best place to nat  in a network.

Router or ASA?

Router would be terminating the ISP connection and then ASA in place.

As ASA doesn't have the option of PBR.Is it would be better to have it on Router.

On the other hand Wanted to run IPSEC on ASA,but how would remote users or Remote peer see this if it is sitting behind a natted router?

Is it to be done based out of deliverable or is there any thumb rule to this.

Curious to know if router can be used instead of ASA for Nat?

What are pros and cons using this?




Re: Nat or Router vs ASA

Hi Sushil,

You can use either the ASA or router for NAT.

I prefer doing NAT on the ASA.

Normally, you decide to do NAT on the device that has the public IP assigned.

If in this case, the router is having the public IP, I say NAT on the router.

The IPsec VPN clients still can connect to the ASA if you create a STATIC NAT translation to redirect VPN traffic to the ASA.

So, the VPN clients will actually connect to the public IP of the router, which will redirect the connection to the ASA.

If on the other hand, the ASA also has a public IP, so NAT on the ASA and terminate the VPNs on that IP.

Either way, you can't go wrong, as long as the equipment that you have support the amount of traffic and connections.


Cisco Employee

Re: Nat or Router vs ASA

I would prefer to use an ASA for the translations as they are designed and more efficient for it.

Routers can still do it as already suggested.


CreatePlease to create content