NAT Placement

absmith9195 · ‎12-21-2006

I am trying to figure out the best place to use NAT in our network. We currently do NAT on the firewall, but I am considering putting it on the network edge in our new design. The main impetus to move it to the edge is ISP redundancy. We are not large enough to do bgp, but we do have multiple ISPs, each with its own public address space. We are not running any routing protocols, so from what I can tell, the firewall would have no idea how to chose which global address space to use for nat'ing. The counter argument is that the firewall is built more for NAT, as opposed to the border router. Any ideas on where to put NAT?

sachinraja · ‎12-21-2006

You can actually think of configuring this either way... Where ever you configure NAT (on router or firewall), you cannot automatically change traffic if one ISP goes down (Multihoming).. You need to actually define the NAT on the router/fw, for specific inside subnets to an IP address from one of the ISP..

for eg, u can NAT, 10.10.10.0/24 to 111.111.111.1 and another VLAN on inside 10.20.20.0/24 to 155.55.55.55 ... If one ISP goes down, u need to manually change the NAT IP to make it work on the other one..

one positive of doing a NAT on the router is that the packets come on their private IP till the router.. Incase you have an IPS in between, u can easily isolate attacks, since the source comes with original IP.. Incase you NAT on the firewall, the IPS will see only the firewall PAT IP, and its tough to identify hosts in this case... it all depends on where u gotto do the NAT, and to me, I would do it either way, which does give me same kinda result..

Hope this helps.. all the best.. rate replies if found useful.

Raj

srue · ‎12-21-2006

Other things to consider might be vpn termination points - do you terminate any vpns on the firewall or routers? if so, how will the choice of NAT implementation affect this.

Do you have any inbound static nat entries that need accounted for? eg smtp,www, or other publicly exposed servers? is any type of load balancing done for these multiple ISPs?

any diagrams to share?

absmith9195 · ‎12-22-2006

Each ISP would have its own router, so the NAT for that ISP's address space would be configured correctly on its router. We would then set the routers up using VRRP or HSRP, so if it failed over, the second router would take over, and it would use the correct addresses. So to answer srue's question--it would be strictly for failover. We will be terminating VPNs on the firewall and may eventually terminate some, both site-to-site and remote access on an internal ASA 55xx. However, I think we will be okay since the firewalls (NetScreen 208s) support NAT-T. I guess my main concerns were performance and security. I think performance shouldn't be too much of an issue, because the router will be faster than the firewalls--but trying to argue with our security team on NAT placement may be tougher. Thanks for your replies so far.