07-13-2023 08:10 PM
hi,
the current deployment i have is the NGFW which is in routed mode so i can use as gateway for all inside subnets. it connects to the ISR router before its connect to the public internet (connection between NGFW and ISR router still private network). my question is can i still use the NGFW for my NAT when connecting to internet, how about the Router need to do NAT again since it is the one connected to the public ip?
best practice - where to do NAT, Policy
regards,
pat
07-13-2023 08:20 PM
Hi @Patts
The NAT for internet access should be placed on the router as it has the public IP address. If you do the NAT on the firewall for internet, you need double NAT as the network between firewall and ISR can not go out to the internet.
It is not a problem to have double NAT like this but surelly it will be more configuration, more failing points and uncecessary processing.
07-13-2023 08:26 PM
thanks Flavio, i will consider just to do all the NAT in the router.
cheers!
pat
07-13-2023 08:28 PM
Sounds like a plan.
You may find reason to place NAT in the firewall for some specific situation for internal network. But for internet, I would also go with the router.
07-14-2023 02:55 AM
Sure ypu can and it prefer to config NATing in Router not in FW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide