https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164569#M1074593 <P>It all depends on the requirement. If you have a Public IP address (i would prefer to do that, rather interface).</P> <P>&nbsp;</P> <P>The only case was used Interface, where do not have More Public IP addresses or getting DHCP Public IP to address from the provider.</P> <P>&nbsp;</P> Sat, 10 Oct 2020 13:25:11 GMT balaji.bandi 2020-10-10T13:25:11Z https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164560#M1074592 <P>Hi,</P><P>Can anyone explain the pro's and cons of configuring NAT on the interface or using a dedicated Public IP to Nat traffic to on an FTD or ASA etc, ????????</P><P>&nbsp;</P><P>Thanks</P> Sat, 10 Oct 2020 12:42:56 GMT https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164560#M1074592 benolyndav 2020-10-10T12:42:56Z https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164569#M1074593 <P>It all depends on the requirement. If you have a Public IP address (i would prefer to do that, rather interface).</P> <P>&nbsp;</P> <P>The only case was used Interface, where do not have More Public IP addresses or getting DHCP Public IP to address from the provider.</P> <P>&nbsp;</P> Sat, 10 Oct 2020 13:25:11 GMT https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164569#M1074593 balaji.bandi 2020-10-10T13:25:11Z https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164806#M1074607 <P>If you don't have spare public IP addresses, the only option you would have is to PAT the traffic to the outside interface. However, if you have spare public IP addresses then a couple of things to keep in mind would be:</P><P>- Use a dedicated public IP for guest traffic. Guest traffic might pose security risks that would end up in blacklisting your public IP, so you don't want that to happen to the primary IP address assigned to the outside interface</P><P>- Use a dedicated public IP for the applications that would be subject to some restrictions based on the source public IP. Although you can still PAT to the outside interface, but I think best practice to dedicate one for those applications</P><P>- Use a dedicated public IP for any service that you would expose externally, an example would be a web server in the DMZ</P> Sun, 11 Oct 2020 18:19:58 GMT https://community.cisco.com/t5/network-security/ftd-nat/m-p/4164806#M1074607 Aref Alsouqi 2020-10-11T18:19:58Z https://community.cisco.com/t5/network-security/ftd-nat/m-p/4165019#M1074618 <P>This all boils down to how many public IPs, if any, you have access to for internal use.&nbsp; It is always an advantage to have more public IPs as you can allocate a separate public IP to different services.&nbsp; However, as mentioned by Aref, if you do not have any spare public IPs or your budget doesn't allow for it, then you don't have any other choice than to use the interface IP.&nbsp; There is nothing wrong with doing this, but you will be limited in what ports you will be able to access your internal services on from the internet since you cannot have the same NATed port for two services.&nbsp; For example, if you have two separate web servers, you will not be able to access both servers using port TCP/80.&nbsp; You would need to access one on TCP/80 and another on TCP/8080 (for example.)</P> Mon, 12 Oct 2020 09:15:54 GMT https://community.cisco.com/t5/network-security/ftd-nat/m-p/4165019#M1074618 Marius Gunnerud 2020-10-12T09:15:54Z