Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static NAT vs. Public

From a security stand point, if someone is using a Sonicwall firewall doing one-to-one NAT public to private, is that any more secure than someone using public ip's inside their network with the proper access-lists?

  • Other Network Infrastructure Subjects
7 REPLIES
New Member

Re: Static NAT vs. Public

One-to-One NAT public to prvate is safer than using public address with good acl's. With nat u will hde ur original IP. This will protect ur server from any type of attack. If u use a public IP , u will definitely have few ports or services open, which can be exploited.

New Member

Re: Static NAT vs. Public

I'm afraid I have to slightly disagree. Comparing the two apples to apples public routed internall versus nat translated to private is virtually the same thing from a security standpoint. It's the acl's and other rules (fixup, etc.) that secure it. Nat translation while still leaving all ports opened is just as unsafe as a routed public wide opened.

New Member

Re: Static NAT vs. Public

I would agree with you, i missed out in mentioning that the right approch would be to have the acl's with NAT.

New Member

Re: Static NAT vs. Public

So reading the responses above, I think I would be correct in saying that a one-to-one NAT is no more secure than a public inside IP assuming that the same ports were locked down in both instances. Is this correct?

New Member

Re: Static NAT vs. Public

Correctomundo.

New Member

Re: Static NAT vs. Public

Thanks!

Bronze

Re: Static NAT vs. Public

I would add that although both approaches are about the same in terms of security, NAT does provide the ability to "hide" your internal IP layout. The less a would be attacker knows about your internal network, the better off you are. So I'd say the NAT approach is slightly more secure. Of course as the other poster stated, the most important thing is to have good ACLs, rules, filtering, etc. than anything else whichever approach you'd choose.

I know you didn't ask but I would also point out an additional benefit of NAT that is not security related is that if you ever switch ISPs, it is much easier to have to change only the firewall NAT one to one mappings than to have to change the legal IPs of all your hosts AND the firewall.

My $.02

119
Views
5
Helpful
7
Replies