I would like to know your thoughts on which device handles NAT better when used with IPSec tunnel: A Cisco ASA 5550 (Premium VPN lisense) and Cisco 2821 router.
The idea is: we want to connect the two different datacenters and I was wondering if we can actually do one to one static NAT for the whole subnets used on both sides. That would be /16 subnet pool for which we will do the one to one NAT. I do have dynamic NAT in mind too (overload), but in that case, we will lose the actual IP to be seen of one side at the other side.
Re: NAT handling capacity of ASA5550 and 2821 router
With the router for statics you have to specify each ip address. if you do it via a dynamic pool, then you can't initiate a connection from the other side until the local side initiates and allocates a NAT entry.
however with an asa, with a simple static statement you can tell the ASA to do one to one mapping for the whole subnet, and this will allow traffic to be initiated from both ends. also performance wise, your asa5550 can handle a lot more vpn throughput than the 2821.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...