10-10-2020 05:42 AM
Hi,
Can anyone explain the pro's and cons of configuring NAT on the interface or using a dedicated Public IP to Nat traffic to on an FTD or ASA etc, ????????
Thanks
Solved! Go to Solution.
10-10-2020 06:25 AM
It all depends on the requirement. If you have a Public IP address (i would prefer to do that, rather interface).
The only case was used Interface, where do not have More Public IP addresses or getting DHCP Public IP to address from the provider.
10-10-2020 06:25 AM
It all depends on the requirement. If you have a Public IP address (i would prefer to do that, rather interface).
The only case was used Interface, where do not have More Public IP addresses or getting DHCP Public IP to address from the provider.
10-11-2020 11:19 AM
If you don't have spare public IP addresses, the only option you would have is to PAT the traffic to the outside interface. However, if you have spare public IP addresses then a couple of things to keep in mind would be:
- Use a dedicated public IP for guest traffic. Guest traffic might pose security risks that would end up in blacklisting your public IP, so you don't want that to happen to the primary IP address assigned to the outside interface
- Use a dedicated public IP for the applications that would be subject to some restrictions based on the source public IP. Although you can still PAT to the outside interface, but I think best practice to dedicate one for those applications
- Use a dedicated public IP for any service that you would expose externally, an example would be a web server in the DMZ
10-12-2020 02:15 AM
This all boils down to how many public IPs, if any, you have access to for internal use. It is always an advantage to have more public IPs as you can allocate a separate public IP to different services. However, as mentioned by Aref, if you do not have any spare public IPs or your budget doesn't allow for it, then you don't have any other choice than to use the interface IP. There is nothing wrong with doing this, but you will be limited in what ports you will be able to access your internal services on from the internet since you cannot have the same NATed port for two services. For example, if you have two separate web servers, you will not be able to access both servers using port TCP/80. You would need to access one on TCP/80 and another on TCP/8080 (for example.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide