cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

299
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

ASA NAT Best Practice

Hi

 

I am in the process of reconfiguring all the outside access rules and NATs as we are migrating to a new public IP range. My question is about the best practice when configuring the NAT and access rules. I want to only use manual NATs.

 

1) Should the outside in access rule have the destination as the mapped public IP (so any to public ip) or the real IP address (any to real ip) of the internal server

2) Should the nat rule (although bidirectional) be inside to outside (real inside real outside translated mapped inside real outside) or the other way around. I know the rule will be bidirectional and I can make it unidirectional but what works as best practice.

 

Thanks

Everyone's tags (2)
2 REPLIES 2
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ASA NAT Best Practice

Hi,
You would always define the real IP address in the ACL.
Best Practice is to be consistent with your NAT rules. Source should be highest security level to lowest - e.g "nat (inside,outside) ...."

HTH
Highlighted
VIP Advisor

Re: ASA NAT Best Practice

The biggest rule, as mentioned by RJI is to be consistant with your NAT and ACL configurations.  However, there are some rules I try to follow as best as possible (though it is not easily done in some situations)

1. Configure NAT rules based on an inside to outside traffic flow (i.e. higher security level to lower security level)

2. Always define NAT source and destination interfaces (do not use "any" for an interface)

3. Try to be as specifc as possible with the IPs / subnets and ports in ACLs (this is particularly difficult as server administrators do not always know the traffic flow of their applications.)

4. Restrict access between internal devices (a PC needs to reach the AD, DHCP, DNS and printers, etc., but doesnt need to reach other PCs..usually)

 

ACLs require the use of the real IP address of an internal host.

--
Please remember to select a correct answer and rate helpful posts