Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
4
Helpful
5
Replies

NAT or NAT exemption

donnie
Level 1
Level 1

‎01-12-2009 05:23 PM - edited ‎03-11-2019 07:36 AM

Hi all. My office is using cisco asa 5510 as firewall and is connected to

office/dmz/internet networks. I allow my office network traffic to access dmz network but deny vice versa. To allow my office network to access dmz network i can either do NAT or NAT exemption. Using NAT would conceal my office PCs ip when they access dmz as they will be translated to a dmz ip. But it would be tough for me to do traffic monitoring in dmz as they are to many NAT done. Hence i would like to know what is the industry practise? NAT or NAT exemption? Pls advise. Thks in advance.

Labels:
0 Helpful
5 Replies 5

sachinraja
Level 9
Level 9

‎01-12-2009 05:30 PM

Hello Wen

Its either way.. actually NAT is done the other way.. If I have servers in DMZ accessed from inside, it is good to have the server segment natted to inside with the same IP.. for eg, if inside is 10.1.0.0/16 and server segment is 172.16.1.0/24, then i would do

static (dmz,inside) 172.16.1.10 172.16.1.10 255.255.255.255

say 172.16.1.10 is the server that I'm trying to access.. if you want, u can do the same thing for an entire subnet.. doing this, all the servers will be visible in inside, and will be accessed with their own IP.. as u said, if u do it the other way (nat the inside to dmz ip) then it will be really tough to manage.. this is how we have implemented in most of the high end network..

Hope this helps.. all the best..

Raj

0 Helpful

donnie
Level 1
Level 1
In response to sachinraja

‎01-12-2009 06:15 PM

Hi Raj,

Thk you very much for the reply. I think i would adopt your suggestion. But just 1 last check, is there any security consideration compare to my earlier 2 methods? Just want to ensure the security part before i proceed to implementation. Thks in advance.

0 Helpful

sachinraja
Level 9
Level 9
In response to donnie

‎01-12-2009 06:23 PM

Hello wen

there is not much of difference in the way it works (security wise) in these options.. infact, when you do a static translation, it is always the best, from security point of view.. since the translation happens 1 - to - 1, you will have the real ips of clients, in any kind of log/sniffer etc... If you are doing PAT (many to one), then the problem comes of diminished security, since the IPS/logs etc would look at the same IP address (with different port numbers), which makes troubleshooting even difficult..

but in ur case, since u are doing a 1-1 translation (either way), there is not much of difference (in security).. in fact, to increase security i would normally have an accesslist on the inside interface of the PIX, and validate traffic flow, even from inside, to dmz..

Hope this helps..all the best.. rate replies if found useful..

Raj

donnie
Level 1
Level 1
In response to sachinraja

‎01-12-2009 06:30 PM

Hi Raj,

1 more thing, it seems by using your suggestion my inside ip would not be concealed to dmz when connecting from inside to dmz.

0 Helpful

sachinraja
Level 9
Level 9
In response to donnie

‎01-12-2009 06:31 PM

Your inside IP will be visible using the same IP address.. it is just that the server IP is shown to inside users, with a static NAT.. end to end communication happens through the same set of IP addresses

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card