Best place to NAT?

mx · ‎02-27-2008

HI. Ill be doing an install of a T1 to a 2811, then to a ASA5505. Usually Ive done 5505's behind dsl or cable and let the 5505 NAT. But Im assuming Ill be getting a /30 address from the circuit provider, giving me 1 address. This is probably a simple question, but it seems like the 2811 will NAT, the inside interface will be private, then the ASA will provide DHCP for the LAN.

Im just not sure how to config the ASA with all interfaces being private. if someone has a sample config that would be great! Thank you.

Danilo Dy · ‎03-01-2008

Hi,

/30 usually is between ISP router and your edge L3 device (firewall or router), ISP should provide you another subnet to be use in your network i.e. /29 or depends on how many you request.

However, if ISP is ony assigning you a single subnet /30 which is use between their router and your edge L3 device, it's either you didn't request for additional subnet or this is the only available subnet for the service you requested (or a lousy ISP :) )

Configuring NAT with only /30 in your edge router.

- Between your router and ASA is /30 (i.e. 192.168.1.0/30)

- Inside your ASA is /24 (i.e. 192.168.2.0/24)

- From your router, route 192.168.2.0/24 to ASA

- No NAT needed in ASA

- NAT should be done in the router in which 192.168.2.0/24 is the inside ip address

Regards,

Dandy

Best place to NAT?

Static NAT の設定例

NAT PROBLEM

NAT-T is used to detect NAT

NAT overload の設定例

Dynamic NAT の設定例