NAT Security

Unanswered Question
Jan 12th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I have always heavily restricted access through my firewall.  I have a situation where a user needs public access to a server from the Internet.   I told him the device would sit on the inside of the network and he could VPN into our firewall and then access the device.  The device is a security system and when you log into it you can stream camera feeds from cameras around the building.  He claims the MTU’s added by the VPN will slow down the stream to the point it will be unusable and he will need a public NAT’ed IP address.  I am not too sure on the MTU’s?  I was thinking of putting the device on my DMZ and letting him access it that way rather than it sit inside the network NAT’ed to a public IP address.  I think if I did it this way I should be fine and I would pass a security audit if I ever had to go through one.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Tue, 01/12/2010 - 18:23

IPSec header length does had to the MTU (Maximum Transmission Unit). You can certainly move this server to the DMZ and configure a static so, it can be reached from the internet instead of leaving it in the inside.  Restrict the access from DMZ to inside.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1985936

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412453

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

-KS

Actions

This Discussion