Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
5
Helpful
2
Replies

ASA5505-NAT Exemption is secure???

Antonio Simoes
Level 1
Level 1

‎09-11-2013 06:44 PM - edited ‎03-11-2019 07:37 PM

Hi,

To put my Webserver(DMZ) comunicating  with my SQLSERVER(INSIDE) I made exemption of  nat in outbound in both directions. Is this secure?

The protection of inside network trough nat isn´t compromised?

Is there any other or more secure way to do it?

Kind Regards,

AS

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎09-11-2013 06:57 PM

Hi,

NAT shouldnt really be the deciding factor on which hosts cant communicate.

Its better to use an interface ACL to control what traffic is allowed and what is not. NAT isnt really suggested solution for this an I guess it only applies to Cisco ASA (or PIX and FWSM) running 8.2 or below software level which still had the "nat-control" command.

In the newer software levels I never really configure any NAT between the local LAN/DMZ interface of the firewall. The traffic that needs to be allowed or blocked is defined in the source interfaces ACL/access-list.

Usually the DMZ should be restricted to only allow certain few connections to the LAN network and block the rest since the DMZ is where you might have publicly accessible servers in your network and therefore in the event they would be compromised its good to have them both isolated from the LAN network and also their access to the LAN set to allow only the bare minimum.

- Jouni

- Jouni

Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-11-2013 07:05 PM

Hi Jouni,

I can agree more.

In 5505 you can disable nat control and work only with ACL, rigth?

Kind Regards,

AS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card