1. Home
  2. Cisco Systems
  3. Where to NAT?

Where to NAT?

Hi,

I have a T1 coming into the building, terminating at an 1800 Series router, then into a Cisco ASA 5500 series, then to a server hosting all the services, including ISA. This is a multihomed server which then goes into a 48 port switch that all other PC's plug into.

My question is, where should I perform NAT? I would assume that I should do this on the router at the edge (the T1 is an internet T1 by the way) and not the ASA.

Also, I will be having IPSec VPNs using L2TP coming into the network for people travelling and working from home. I want these to terminate at the ASA and then have the ASA query the server for certificates. What do I need to do to make sure that the router ACLs do not stop this and so that ISA lets the certificate checks through?

Thanks in advance.

Reply to
K.J. 44
Loading thread data ...

I would perform the NAT at the ASA. Your router at the edge should just forward all packets to the ASA and let the ASA do the work for you. Also when it comes time for you to setup VPN's you will not have to NAT and ACL all the ports for IPSEC through the router.

Reply to
Chad Mahoney

Agreed. NAT at the ASA.

Reply to
chris

Reply to
K.J. 44

I know that NAT is performed at the router that is connected directly to the internet. May someone, please, explain to me why shouldn't NAT be performed at the

1800 Series router?

Thanks

The Dude

Reply to
The Dude

If you didn't have the VPNs I think it would be fine to NAT on the 1800, but in your case it would complicate the VPN because you'd have to deal with NAT traversal issues.

Reply to
Barry Margolin

Thanks. I guess I have to learn about NAT tranversal :)

The Dude

Reply to
The Dude

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.