Solved: Which option nails it for you (Creating NAT on the border gateway router or ASA firewall)

adedipeopeoluwa · ‎03-12-2018

Hello all,

Seen cases where nat is done on the border gateway router. Just wondering is there any advantage of creating nat on the firewall as against the BGR?

Octavian Szolga · ‎03-12-2018

Hi,

Generally speaking, a (medium-sized) router won't have the same NAT performance as a firewall. It's like having a ZBFW config on a router vs install a dedicated firewall. Both do the same thing (filtering up to layer7 - at least for http/ftp and some other clear-text protocols) but don't behave the same in terms of performance.

Now, with the latest 4K routers the penalty is not that big, but a firewall would be best.

Thanks,

Octavian

View solution in original post

Florin Barhala · ‎03-12-2018

The place you "decide to" do NAT depends on:

- network design

- network constraints like pool of IPs available

- clustering or not

and many many other aspects.

I prefer doing NAT and firewall on ASA while doing pure routing on the BGs. But I had cases when I used ASAs with no NAT, just FW. So it depends from case to case.

adedipeopeoluwa · ‎03-12-2018

Any downside or security gap to doing nat on the BGR

Octavian Szolga · ‎03-12-2018

Hi,

Generally speaking, a (medium-sized) router won't have the same NAT performance as a firewall. It's like having a ZBFW config on a router vs install a dedicated firewall. Both do the same thing (filtering up to layer7 - at least for http/ftp and some other clear-text protocols) but don't behave the same in terms of performance.

Now, with the latest 4K routers the penalty is not that big, but a firewall would be best.

Thanks,

Octavian