Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

configuring router and firewall for Internet access

Hi,

I am configuring a 1721 router for Internet access for a branch office with 30 employees. There will be a ASA5505 firewall behind the 1721. The ISP has provided 14 public Ethernet IP addresses. Is it more efficient to perform PAT or NAT? Is it more efficient to perform PAT or NAT on the 1721 router or ASA5505 firewall?

We also have a MPLS network connected to the LAN switch on the above network.

8 REPLIES

Re: configuring router and firewall for Internet access

I don't think there is that much of a difference between NAT/PAT concerning resource consumption. I would start with PAT and keep those addresses in case you ever need to use them for hosting services (like email/www/etc). I prefer to NAT at the firewall and I would think the ASA would handle that better than the 1710.

HTH

Hall of Fame Super Blue

Re: configuring router and firewall for Internet access

Use PAT for outbound traffic ie. your users accessing the Internet.

As Collin says, use static NAT to host services that you want people to be able to access from the Internet eg. mail/http.

Use the ASA.

Jon

New Member

Re: configuring router and firewall for Internet access

We have been provided a public LAN/Ethernet/Gateway IP address by the ISP. Which physical interface is the above assigned to, the Ethernet int on the 1721 perimiter router, or the E0 interface of the ASA5505 firewall?

Thanks.

Hall of Fame Super Blue

Re: configuring router and firewall for Internet access

Hi

This should be assigned to the inside interface of your 1721. It should be out of the same subnet as 14 addresses provided to you by your ISP. The ASA then has a default route pointing to this IP address.

Jon

Re: configuring router and firewall for Internet access

If the ISP is handing off ethernet, I see no need for the 1721 router (assuming it is not terminating any other connections like MPLS). I would plug it directly into the ASA.

Hall of Fame Super Blue

Re: configuring router and firewall for Internet access

Hi

That's a very good point Collin. I was assuming that the 1721 was provided by the ISP.

If it isn't not only is there no need for the 1721 it will actually make it impossible to use the public addressing between the 1721 and the ASA.

As Collin says, if the 1721 is not ISP supplied and they are presenting ethernet just use the ASA.

Jon

New Member

Re: configuring router and firewall for Internet access

The ISP have assigned us a serial IP address to connect to their router using PPP encapsulation. We supply the perimeter router.

Hall of Fame Super Blue

Re: configuring router and firewall for Internet access

Right, so they are not handing off ethernet ?.

If they are not presenting ethernet and you have a serial connection to the ISP go back to what i said in previous post.

Jon

139
Views
0
Helpful
8
Replies
CreatePlease to create content