Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2340
Views
0
Helpful
3
Replies

Setting up NAT with firewall behind router

matthew.norman
Level 1
Level 1

‎08-19-2016 05:16 AM - edited ‎03-08-2019 07:04 AM

Hello all,

I am just learning the basics of ASA configuration.

I have seen many people state that it is better to have the ASA sit behind a router instead of on the edge.

In this scenario, would I configure NAT to access the internet on the ASA or would I do it on the edge router?

I am also looking to set up a site to site VPN tunnel usinf IPSec over GRE. Would this be done on the ASA or the router in this setup.

So far I have learn't to do the above on routers. They seem fairly straight forward to configure on the ASA I am just not sure how it is affected by having a router after the firewall.

Appreciate any advice.

Matt

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎08-19-2016 05:56 AM

For NAT, a rule of thumb is that it's implemented on the device that has the public IP address(es) on the outside interface and a private IP on the inside. If this is your setup:

Internet ----- (Pu) - Router - (Pr) ----- (Pr) - ASA - (Pr) ---- internal Network

Here the NAT is typically done on the router.

In many cases this router is removed from the network if the ISP provides an Ethernet-Link:

Internet ----- (Pu) - ASA - (Pr) ---- internal Network

Now NAT is done on the ASA.

For your VPN-needs, The ASA doesn't support IPsec/GRE, that can only be done on the router. In many cases I would configure that the following way:

           / ----- (Pu) - ASA - (Pr) ---- internal Network
Internet- SW               |
           \ ----- (Pu) - Router

Both ASA and router is connected to the Internet, but the VPN-traffic is sent again through the firewall.

0 Helpful

matthew.norman
Level 1
Level 1
In response to Karsten Iwen

‎08-19-2016 06:05 AM

Thank you Karsten,

That is very helpful.

Is it more common to configure site-to-site VPN's on the router or is there a better way to configure this on the ASA?

Also in your final topology where you have the internet connected to the router and the router going via the ASA, would you configure the VPN access list on just the ASA or both?

Thanks

Matt

0 Helpful

Karsten Iwen
VIP
VIP
In response to matthew.norman

‎08-19-2016 06:16 AM

The (IOS) router has much more features for site-to-site VPN than the ASA. But if you don't have many VPN peers, then the ASA is often "good enough".

The Access-Control can be done on the router or on the ASA. In a pure hub-and-spoke topology I would configure it on the ASA, but if there is spoke-to-spoke communication it has to be done on the VPN-Router or even on the branch-routers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card