cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1383
Views
0
Helpful
8
Replies

Cisco ASA behind Cisco router

networker123777
Level 1
Level 1

I want to put cisco ASA firewall between a cisco 4331 router facing internet and a cisco L3 switch(supporting multivlans) .Pic attached....Now question is in which mode is recommended for the cisco ASA to be configured coz in router mode there will be double NATs (one in cisco router and other in NAT) affecting some of the traffic  and voip service , while i dont have experience of it in transparent mode.kindly need expert opinion on it.........

 

router asa.png

1 Accepted Solution

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Configure the ASA in routed mode, but just don't configure NAT for the 'inside' subnets.

 

Ensure the NAT statement configured on the router permits the subnet IDs routed by the ASA.

 

cheers,

Seb.

View solution in original post

8 Replies 8

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Configure the ASA in routed mode, but just don't configure NAT for the 'inside' subnets.

 

Ensure the NAT statement configured on the router permits the subnet IDs routed by the ASA.

 

cheers,

Seb.

Thanks for clarification...... regards

Thanks Alot....

Hello,

 

in addition to Seb's post, what are you trying to accomplish ? There are certain advantages to configuring the ASA in transparent mode, such as passing broadcast and multicast traffic. In additon, each layer 3 hop introduces another potential 'speed bump'.

 

Have a look at the link below:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/intro-fw.pdf

Sergey Lisitsin
VIP Alumni
VIP Alumni

networker123777,

 

You don't have to configure another NAT on the ASA if you don't need it. You can keep it purely for filtering and inspecting traffic, leaving router to do all the NAT.

Thanks for the answer...... regards

Hello

Just like to add as you may be aware nat is a security feature so if you dont need to nat twice dont as @Seb Rupik suggested.

 


@networker123777 wrote:

 while i dont have experience of it in transparent mode.kindly need expert opinion on it.........


Transparent mode doesn't support quite a lot of features, as its basically a L2 device that bridges, with max of  two interfaces (inside/outside) no DMZ

As far as i am aware the below isn't supported but probably would be allowed through with applied acls.
dynamic routing  - (rip/opsf eigrp etc... but i think it allows statics)
qos
multicast
dhcp relay

If you post this in the security forum you would most probably obtain a better response from your query.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card