Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Internal NAT'ing - Security Recommendation

Is it recommended to use NAT between servers on different layers divided by the internal firewall. For e.g. a segment of firewall is connected to web servers and another segment to DB servers. Is there any advantage of NAT'ing the destination server IPs (to hide the actual ips from the web server segment while connecting to DB).

Also, please let me know if there any DISadvantages of doing so such as performance, uneasy troubleshooting etc.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Internal NAT'ing - Security Recommendation

Hiding the IPs from the two internal segments would depend on your company's security policy. It depends on a number of factors tough. E.g. you have two contractors managing the two different segements, hiding the internal IPs could increase security through the 'security through obscuring' model :) but this is not always the case. However this will increase complications while troubleshooting problems etc.

Regards

Farrukh

3 REPLIES
Community Member

Re: Internal NAT'ing - Security Recommendation

Hi,

This absolutely depend on you. The advantage is protect the servers from normal users sitting on Inside zone.

Re: Internal NAT'ing - Security Recommendation

Hiding the IPs from the two internal segments would depend on your company's security policy. It depends on a number of factors tough. E.g. you have two contractors managing the two different segements, hiding the internal IPs could increase security through the 'security through obscuring' model :) but this is not always the case. However this will increase complications while troubleshooting problems etc.

Regards

Farrukh

Hall of Fame Super Blue

Re: Internal NAT'ing - Security Recommendation

You shouldn't rely on NAT for any sort of security. I don't really see much advantage in Natting at all on internal firewalls and therefore all NAT does is add a an extra layer of complication where it isn't needed.

NAT is a pain frankly, but we end up having to do it almost everywhere. So if you can avoid it do. I would also add that NAT can break certain apps and without doubt if you are experiencing connectivity problems not having to take into account the NAT rules is one less thing to worry about.

Jon

111
Views
5
Helpful
3
Replies
CreatePlease to create content