Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1382
Views
0
Helpful
8
Replies

Cisco ASA behind Cisco router

Go to solution
networker123777
Level 1
Level 1

‎02-04-2019 03:15 AM - edited ‎03-08-2019 05:13 PM

I want to put cisco ASA firewall between a cisco 4331 router facing internet and a cisco L3 switch(supporting multivlans) .Pic attached....Now question is in which mode is recommended for the cisco ASA to be configured coz in router mode there will be double NATs (one in cisco router and other in NAT) affecting some of the traffic  and voip service , while i dont have experience of it in transparent mode.kindly need expert opinion on it.........

 

router asa.png

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-04-2019 03:28 AM - edited ‎02-04-2019 03:29 AM

Hi there,

Configure the ASA in routed mode, but just don't configure NAT for the 'inside' subnets.

 

Ensure the NAT statement configured on the router permits the subnet IDs routed by the ASA.

 

cheers,

Seb.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-04-2019 03:28 AM - edited ‎02-04-2019 03:29 AM

Hi there,

Configure the ASA in routed mode, but just don't configure NAT for the 'inside' subnets.

 

Ensure the NAT statement configured on the router permits the subnet IDs routed by the ASA.

 

cheers,

Seb.

0 Helpful

Go to solution
networker123777
Level 1
Level 1
In response to Seb Rupik

‎02-05-2019 10:18 PM

Thanks for clarification...... regards
0 Helpful

Go to solution
networker123777
Level 1
Level 1
In response to Seb Rupik

‎02-06-2019 12:04 AM

Thanks Alot....

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎02-04-2019 03:43 AM

Hello,

 

in addition to Seb's post, what are you trying to accomplish ? There are certain advantages to configuring the ASA in transparent mode, such as passing broadcast and multicast traffic. In additon, each layer 3 hop introduces another potential 'speed bump'.

 

Have a look at the link below:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/intro-fw.pdf

0 Helpful

Go to solution
Sergey Lisitsin
VIP Alumni
VIP Alumni

‎02-04-2019 04:54 AM

networker123777,

 

You don't have to configure another NAT on the ASA if you don't need it. You can keep it purely for filtering and inspecting traffic, leaving router to do all the NAT.

0 Helpful

Go to solution
networker123777
Level 1
Level 1
In response to Sergey Lisitsin

‎02-05-2019 10:22 PM

Thanks for the answer...... regards
0 Helpful

Go to solution
paul driver
VIP
VIP

‎02-04-2019 06:56 AM - edited ‎02-04-2019 06:58 AM

Hello

Just like to add as you may be aware nat is a security feature so if you dont need to nat twice dont as @Seb Rupik suggested.

 

@networker123777 wrote:

 while i dont have experience of it in transparent mode.kindly need expert opinion on it.........

Transparent mode doesn't support quite a lot of features, as its basically a L2 device that bridges, with max of  two interfaces (inside/outside) no DMZ

As far as i am aware the below isn't supported but probably would be allowed through with applied acls.
dynamic routing  - (rip/opsf eigrp etc... but i think it allows statics)
qos
multicast
dhcp relay

If you post this in the security forum you would most probably obtain a better response from your query.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card