Hi,As per this Interface PAT

Jonathan Wiggins · ‎06-16-2015

hi there. Have been conducting ASA upgrades (8.2 > 9.1) and at the same time doing a tremendous amount of cleanup, e.g. the usual untidy mess of stale objects, obscure undocumented rules, and messy NAT configurations

There seems to be a school of thought here that you need a Dynamic NAT or PAT for traffic sourced in the 'INSIDE' when headed to the 'DMZ'.

The original configurations that I inherited had Dynamic NAT pools going in every direction, resulting in a lot of static Identity NAT's as it would break certain traffic. After doing cleanup, we have much cleaner, and I feel best practice, configurations such as:

nat (inside,outside) after-auto source dynamic INTERNAL-NET interface

I know one can argue that "you will secure your internal host traffic if there is malicious activity in the DMZ" - but it seems that if your FW perimeter / DMZ has been compromised, this Dynamic NAT pool isnt going to save you

Thoughts?

Vibhor Amrodia · ‎06-16-2015

Hi,

As per this Interface PAT configuration , this would certainly secure your network rather than doing a NONAT for this traffic.

The reason for that is that the DMZ users would not be able to initiate connections back to the internal users as Dynamic PAT works uni directionally.

Again , other than this we can still secure the internal networks even with the Static Identity NAT as well by using an ACL.

So , this is just a design requirement query. If you think , DMZ would ever initiate any connections , Dynamic PAT is not an option.

Thanks and Regards,

Vibhor Amrodia

Your Thoughts on a Dynamic NAT or PAT from Inside to DMZ