Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT-ASA-ROUTER

Hi Experts,

It is design query. I have a setup like described below:

Internet-->cisco1841router-->ASA-->LAN

I have two Internet connection (ISP-1 & ISP-2) is connected to Cisco 1841 Router and this Router is connected to Cisco ASA Firewall and Firewall is connected to LAN

Which is the industry best practice to configure NAT on security perspective. Whether it is recommended to configure NAT on CISCO ROUTER or ASA Firewall in this regard.

Hope i described the requirement precisely. Looking for your valuable advice

sairam

4 REPLIES

Re: NAT-ASA-ROUTER

if you have one static ip assigned from ur isp to u in this case u have no option other than do the nat in the router

however u can do duble nat i mean u do nating in the asa as well

for eaxmple

router -- 192.168.1.0--asa--10.1.1.0

you can nat 10.1.1.0 network and let the router see the traffic from inside netwrok as it coming from 192.168.1.0

but this is depends on ur security policy and requiremnt

practically if u do it in the router and u do filtering on the firewall wil be secure enough

hope this helps

New Member

Re: NAT-ASA-ROUTER

Hi,

I have 16 IP address provided by ISP. I donot have restriction on ISP.

Then as per your statement,if NAT is not going to add any additional security functionality to the setup, then I will do NATing only in the router and ASA will be configured with "no nat-control"

am i aligned with? Thanks and expecting your feedback

sairam

New Member

Re: NAT-ASA-ROUTER

As of now my setup sounds like this

Internet---Reuter----ASA----LAN

but planning to have two ISP terminating on the Internet Reuter.

Our ISP do not route each other subnets, so will publishing of website on ASA work,if one ISP fails.

Can get sample config help of Reuter to understand.

Re: NAT-ASA-ROUTER

Yes this way is Ok

this way you will have tow layers of security

first is the oruter you will do the nating

and you can do generall pactfeltering in the router (optional)

i the ASA you have to do the second layer of securty which should involve packet-filtering with ACLs, application inspection

and advanced applicationa dnprotocoll inspection if required (optional) like tcp optimization, http url and header inspection and so on

good luck

Hope this helps

141
Views
0
Helpful
4
Replies