cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
0
Helpful
8
Replies

configuring router and firewall for Internet access

saidfrh
Level 1
Level 1

Hi,

I am configuring a 1721 router for Internet access for a branch office with 30 employees. There will be a ASA5505 firewall behind the 1721. The ISP has provided 14 public Ethernet IP addresses. Is it more efficient to perform PAT or NAT? Is it more efficient to perform PAT or NAT on the 1721 router or ASA5505 firewall?

We also have a MPLS network connected to the LAN switch on the above network.

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

I don't think there is that much of a difference between NAT/PAT concerning resource consumption. I would start with PAT and keep those addresses in case you ever need to use them for hosting services (like email/www/etc). I prefer to NAT at the firewall and I would think the ASA would handle that better than the 1710.

HTH

Jon Marshall
Hall of Fame
Hall of Fame

Use PAT for outbound traffic ie. your users accessing the Internet.

As Collin says, use static NAT to host services that you want people to be able to access from the Internet eg. mail/http.

Use the ASA.

Jon

We have been provided a public LAN/Ethernet/Gateway IP address by the ISP. Which physical interface is the above assigned to, the Ethernet int on the 1721 perimiter router, or the E0 interface of the ASA5505 firewall?

Thanks.

Hi

This should be assigned to the inside interface of your 1721. It should be out of the same subnet as 14 addresses provided to you by your ISP. The ASA then has a default route pointing to this IP address.

Jon

If the ISP is handing off ethernet, I see no need for the 1721 router (assuming it is not terminating any other connections like MPLS). I would plug it directly into the ASA.

Hi

That's a very good point Collin. I was assuming that the 1721 was provided by the ISP.

If it isn't not only is there no need for the 1721 it will actually make it impossible to use the public addressing between the 1721 and the ASA.

As Collin says, if the 1721 is not ISP supplied and they are presenting ethernet just use the ASA.

Jon

The ISP have assigned us a serial IP address to connect to their router using PPP encapsulation. We supply the perimeter router.

Right, so they are not handing off ethernet ?.

If they are not presenting ethernet and you have a serial connection to the ISP go back to what i said in previous post.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco