I am currently looking at implementing NAT on a device for my clients, but do not know where is the best place to implement NAT. Currently they have a LAN with a firewall connecting to a router . What are the advantages and disadvantages of implementing NAT on firewall or NAT on router. Could anyone advise ?
LAN ----> Firewall -----> Router ----> Internet ---->
My first thought would be about memory and cpu ?
it really depend on the ammount of traffic you are translating and the what kind of devices you have.
you can have really powerfull firewall doing all the job for you while you have a 2500 as a router doing basic routing,
or you can have a power router doing nat, and a basic firewall hardware.
from a cisco book: "Theoretically, there is no limit on the number of mappings that the NAT table can hold. Practically, memory and CPU or the boundaries of the available addresses or ports place a limit on the number of entries. Each NAT mapping uses approximately 160 bytes of memory"
Thank you for your quick response. I'm using a high end firewall with 1G of RAM and 3.0Ghz CPU. And I am using 2821XM for my router. There is neither a performance issue on my firewall nor router since there are not many users on my network, less than 200 if I am correct. The external connection is a E1 lease line. Are there any other considerations?
Not an expert on this subject , just adding my 2 cents.
I'd look both devices and check which of them have more free resources at the moment.
What else are you doing? vpn? what kind of routing protocol are you using? bgp? this could make things worst for the firewall or router.
So, try show process cpu and show memory and check which is more loaded.
hope this help a bit,
Id appreciate if you consider rating these posts.
Thanks for the advice. At the moment, the firewall only performs a job as a firewall and the router performs only static routing function.
then you can have NATing at router or at the firewall ...but when if you enable nating on firewall then you need to confiure bridging for router...which requrie some more configuration...so i think your router is also good so you can confiugre natting on router...
hope this helps
rate this post if it helps
Based off of the info provided, the best place to implement NAT is on the firewall. Bridge the router if you can and do all your NATs at the firewall.
yes it is...but as you said you have to bridge router...and its true as the firewall is special sequrity device so its better to implement nat there...