Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
4
Helpful
1
Replies

security scenario deployment

kunal-united
Level 1
Level 1

‎09-29-2011 09:45 AM - edited ‎03-11-2019 02:32 PM

Hi,

I have a cisco ASA firewall.

Outside - Connected to Internet.

DMZ- Connected to servers which open up connections to the Inside zone.

Inside - secure applications.

Scenario 1

when request from the Internet hits the firewall public OUTSIDE ip. I nat it to a private ip in DMZ zone has the servers.

Scenario 2

I can have the request from the Internet hit the DMZ zonedirectly instead of the outside zone provided the DMZ zone servers are in the public range ...is this correct? question1

question2) So the question is when I would use scenario 1 and when I would use scenario 2.

question3) Which is considered a best practice?

-----------------------------------------------------------------------------

Thanks,

Kunal

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎09-29-2011 11:10 AM

Hi Kunal,

Answer 1.  You can do that if you want, you can assign the servers directly a public ip address, there should not be an issue with.

Answer2.  My personal opinion would be, scenario 1, just because of the security provided by it, the outside world doesn't really know the real ip of the server, moreover due to teh scalibility option, i can save public ip's by doing it. If you do port forwarding, you can even use same ip for multiple internal servers running different application, makes more sense.

Answer 3. Scenario 1 until it is a requirement to implement scenario 2

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card