https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356077#M728249 <HTML><HEAD></HEAD><BODY><P>Here is what they say:</P><P></P><P> Cisco Validated Design and best practices recommended dedicating only security features on the ASA. And they propose removing current NAT on the ASA and putting in on the router.</P></BODY></HTML> Fri, 19 Mar 2010 13:38:16 GMT Mon Baul 2010-03-19T13:38:16Z https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356075#M728247 <P>hi,</P><P></P><P>&nbsp; could anyone confirm if doing the NAT in the router is better that doing it in a firewall?because someone told me this is the best practice from cisco.</P><P></P><P> My topology below:</P><P></P><P> CoreSwitch==&gt;edge switch--&gt;ASA--&gt;Boarder router</P><P></P><P> Note: i have server in dmz configured in ASA and accessible thru internet.</P><P></P><P>thanks.</P><P>reymon</P> Mon, 11 Mar 2019 17:23:33 GMT https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356075#M728247 Mon Baul 2019-03-11T17:23:33Z https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356076#M728248 <HTML><HEAD></HEAD><BODY><P>Don't see the difference configuring it on router or ASA. Most people configured NAT on their ASA.</P></BODY></HTML> Fri, 19 Mar 2010 12:15:18 GMT https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356076#M728248 Jennifer Halim 2010-03-19T12:15:18Z https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356077#M728249 <HTML><HEAD></HEAD><BODY><P>Here is what they say:</P><P></P><P> Cisco Validated Design and best practices recommended dedicating only security features on the ASA. And they propose removing current NAT on the ASA and putting in on the router.</P></BODY></HTML> Fri, 19 Mar 2010 13:38:16 GMT https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356077#M728249 Mon Baul 2010-03-19T13:38:16Z https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356078#M728250 <HTML><HEAD></HEAD><BODY><P>I guess it really depends on what you will be using the NAT for, as there is a number of application inspection that ASA is more superior of.</P><P></P><P><SPAN style="text-decoration: underline;">For example</SPAN>:</P><P>You are NATing your FTP server, and ASA is configured to inspect FTP traffic so it will dynamically open a pin hole for the FTP data connection.</P><P>If you perform the same on the router, first of all, for tighter security, you would need to create access-list, and then either CBAC or ZBFW to inspect the traffic. Router main functionality is performing routing, with the above example, you have just added security feature on the router which is not very efficient since you already have ASA firewall.</P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 19 Mar 2010 22:32:30 GMT https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356078#M728250 Jennifer Halim 2010-03-19T22:32:30Z https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356079#M728251 <HTML><HEAD></HEAD><BODY><P>configuring policy nat, dynamic nat, nat exemption, outside nat, destination nat, static 1-1, policy static all of these can be easily done on the ASA.</P><P></P><P>I would say do the nat on the ASA and let the router do what is is betst to do which is routing.</P><P></P><P>-KS</P></BODY></HTML> Fri, 19 Mar 2010 22:38:06 GMT https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356079#M728251 Kureli Sankar 2010-03-19T22:38:06Z https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356080#M728252 <HTML><HEAD></HEAD><BODY><P>I agree to both of you:) Thanks!</P></BODY></HTML> Sat, 20 Mar 2010 12:57:02 GMT https://community.cisco.com/t5/network-security/nat-in-router-or-firewall/m-p/1356080#M728252 Mon Baul 2010-03-20T12:57:02Z