I am trying to figure out the best place to use NAT in our network. We currently do NAT on the firewall, but I am considering putting it on the network edge in our new design. The main impetus to move it to the edge is ISP redundancy. We are not large enough to do bgp, but we do have multiple ISPs, each with its own public address space. We are not running any routing protocols, so from what I can tell, the firewall would have no idea how to chose which global address space to use for nat'ing. The counter argument is that the firewall is built more for NAT, as opposed to the border router. Any ideas on where to put NAT?
You can actually think of configuring this either way... Where ever you configure NAT (on router or firewall), you cannot automatically change traffic if one ISP goes down (Multihoming).. You need to actually define the NAT on the router/fw, for specific inside subnets to an IP address from one of the ISP..
for eg, u can NAT, 10.10.10.0/24 to 188.8.131.52 and another VLAN on inside 10.20.20.0/24 to 184.108.40.206 ... If one ISP goes down, u need to manually change the NAT IP to make it work on the other one..
one positive of doing a NAT on the router is that the packets come on their private IP till the router.. Incase you have an IPS in between, u can easily isolate attacks, since the source comes with original IP.. Incase you NAT on the firewall, the IPS will see only the firewall PAT IP, and its tough to identify hosts in this case... it all depends on where u gotto do the NAT, and to me, I would do it either way, which does give me same kinda result..
Hope this helps.. all the best.. rate replies if found useful.
Each ISP would have its own router, so the NAT for that ISP's address space would be configured correctly on its router. We would then set the routers up using VRRP or HSRP, so if it failed over, the second router would take over, and it would use the correct addresses. So to answer srue's question--it would be strictly for failover. We will be terminating VPNs on the firewall and may eventually terminate some, both site-to-site and remote access on an internal ASA 55xx. However, I think we will be okay since the firewalls (NetScreen 208s) support NAT-T. I guess my main concerns were performance and security. I think performance shouldn't be too much of an issue, because the router will be faster than the firewalls--but trying to argue with our security team on NAT placement may be tougher. Thanks for your replies so far.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :