Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security of NAT global ip to internal LAN ip?

How safe/good is NAT global static ip to an internal LAN ip? How does this hide/protect from hackers and port probers finding the true ip address of the network. Any documents on NAT security for networks would be grateful.

New Member

Re: Security of NAT global ip to internal LAN ip?

Will this server be accessible from the outside/public network? If so, not advisible. If this answers your question please rate and close. Thanks.

Cisco Employee

Re: Security of NAT global ip to internal LAN ip?


Iwierenga is right. NAT is as insecure as having the actual IP. The only thing that makes it secure is blocking access to unwanted ports/IPs/traffic



New Member

Re: Security of NAT global ip to internal LAN ip?

How can things be made more secure??? Without costing too much??

New Member

Re: Security of NAT global ip to internal LAN ip?

Security is a business of diligence, and the first thing to understand is that the best security practices are to keep all systems and networking devices patched, and only allow that traffic that is absolutly neccessary into your DMZ. Also, learn to read a lot of logs, and learn to understand the difference between reconnaissance, compromise attempts, and false positives.

With regards to costs to your business? Think of it this way, what if your network was much would it cost your business? I get an average of 6000 hits a day of offending traffic, thats slight compared to financial institutions.

Anyway, there are many products that are free that will help your business in staying secure. With regards to NAT, NAT is just one component to secure your network, NAT works to hide your DMZ (or sometimes internal network...bad idea) private IP addressing from the outside. The normal security model is to have Internet/perimeter router that connects to a firewall's outside interface, and the firewall's inside interface then connects to security switch that you would VLAN to seperate your DMZ/'s. This is the simple model, and get much more complex and costly. It would be my recommendation to have this model as a minumum.

With regards to securing routers and servers a good start is to go here:

National Security Agency

Security Recommendation Guides

A good freeby IDS is of course Snort for nix, go here:

Win32 version of Snort is here:

A good place to start understanding security is SANS:

And finally a good place to start to unbderstand NAT:

Hopefully, this will help you. If this answer your questions please close and rate.