Re: NAT Design Question

gdrandles · ‎05-20-2011

I have a question about how I should setup NAT on our 6509's with relation to the FWSM and MSFC.

Is it better to NAT at the MSFC or FWSM? We do plan on having at least 1 DMZ in addition to the "inside" and "outside" networks if that helps.

If we put the NAT on the FWSM, then option 1 would have our FWSM connected directly to the ISP 2811 routers. We could also use Option 2 where the MSFC is connected directly to the ISP 2811 routers. This would require us to extend the public network down to the FWSM. That is why I have the virtual connection between the MSFC and FWSM in option 2 as "Network Unknown."

If we put NAT on the MSFC, then we could use option 2 where the MSFC is connected directly to the ISP 2811 routers. This would allow us to use a private network for the virtual link between the MSFC and FWSM.

I have read somewhere that, for security reasons, it is best to place the MSFC between the Internet and the FWSM. I am looking for any help or suggestions.

Thanks,

Roman Rodichev · ‎05-22-2011

I always put NAT on the FWSM, as it is its job, MSFC will have limitations with NAT. I also always setup MSFC on both sides of the FWSM to gain flexibility. You would need to setup two VRFs, one called Internet and one called Internal. Put outside SVIs into Internet VRF and inside SVIs into Internal. This way you will have full control over routing, etc.