Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

NAT Security

I have always heavily restricted access through my firewall.  I have a situation where a user needs public access to a server from the Internet.   I told him the device would sit on the inside of the network and he could VPN into our firewall and then access the device.  The device is a security system and when you log into it you can stream camera feeds from cameras around the building.  He claims the MTU’s added by the VPN will slow down the stream to the point it will be unusable and he will need a public NAT’ed IP address.  I am not too sure on the MTU’s?  I was thinking of putting the device on my DMZ and letting him access it that way rather than it sit inside the network NAT’ed to a public IP address.  I think if I did it this way I should be fine and I would pass a security audit if I ever had to go through one.

1 REPLY
Cisco Employee

Re: NAT Security

IPSec header length does had to the MTU (Maximum Transmission Unit). You can certainly move this server to the DMZ and configure a static so, it can be reached from the internet instead of leaving it in the inside.  Restrict the access from DMZ to inside.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1985936

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412453

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

-KS

148
Views
0
Helpful
1
Replies
CreatePlease to create content