09-11-2013 06:44 PM - edited 03-11-2019 07:37 PM
Hi,
To put my Webserver(DMZ) comunicating with my SQLSERVER(INSIDE) I made exemption of nat in outbound in both directions. Is this secure?
The protection of inside network trough nat isn´t compromised?
Is there any other or more secure way to do it?
Kind Regards,
AS
09-11-2013 06:57 PM
Hi,
NAT shouldnt really be the deciding factor on which hosts cant communicate.
Its better to use an interface ACL to control what traffic is allowed and what is not. NAT isnt really suggested solution for this an I guess it only applies to Cisco ASA (or PIX and FWSM) running 8.2 or below software level which still had the "nat-control" command.
In the newer software levels I never really configure any NAT between the local LAN/DMZ interface of the firewall. The traffic that needs to be allowed or blocked is defined in the source interfaces ACL/access-list.
Usually the DMZ should be restricted to only allow certain few connections to the LAN network and block the rest since the DMZ is where you might have publicly accessible servers in your network and therefore in the event they would be compromised its good to have them both isolated from the LAN network and also their access to the LAN set to allow only the bare minimum.
- Jouni
- Jouni
09-11-2013 07:05 PM
Hi Jouni,
I can agree more.
In 5505 you can disable nat control and work only with ACL, rigth?
Kind Regards,
AS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide