Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
4
Replies

Cisco WSA - dedicated real IP

Go to solution
galin.gospodinov
Level 1
Level 1

‎02-21-2024 06:18 AM

Hello community, 

Is it a best practice to configure dedicated real IP address on P2 port on cisco WSA or we should use NAT ?

If it is OK to dedicate real IP address, what are the security protections that can be enabled on Cisco WSA ?

 

Thank you!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎02-21-2024 06:33 AM

You can do it either way... I used NAT.
As far as I know there aren't any extra security protections/configurations to put on the WSA because you're exposing one of the interfaces to the open internet.


________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

View solution in original post

0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎02-26-2024 03:11 AM

Hi @galin.gospodinov 

 

As Ken mentioned, the best practice is to use private IP address in your P2 interface and NAT the IP in your Firewall/router. 

in this case, you can block all the unwanted traffic, and just allow TCP/80,443 (due to your network needs and design) to the internet

please allow me to share the firewall configuration guide : 

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance/218441-configure-firewall-for-secure-web-applia.html

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ken Stieers
VIP
VIP

‎02-21-2024 06:33 AM

You can do it either way... I used NAT.
As far as I know there aren't any extra security protections/configurations to put on the WSA because you're exposing one of the interfaces to the open internet.


________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
0 Helpful

Go to solution
galin.gospodinov
Level 1
Level 1
In response to Ken Stieers

‎02-21-2024 06:56 AM

Thank you, Ken!

What is the best practice - dedicated real IP or NAT ?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to galin.gospodinov

‎02-21-2024 07:06 AM

I don't know if it is written down anywhere, but I would say NAT...
There isn't really any reason to directly expose the outbound interface to the internet. From the outside, the WSA is just another box surfing the web.


________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎02-26-2024 03:11 AM

Hi @galin.gospodinov 

 

As Ken mentioned, the best practice is to use private IP address in your P2 interface and NAT the IP in your Firewall/router. 

in this case, you can block all the unwanted traffic, and just allow TCP/80,443 (due to your network needs and design) to the internet

please allow me to share the firewall configuration guide : 

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance/218441-configure-firewall-for-secure-web-applia.html

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

0 Helpful
Customers Also Viewed These Support Documents