Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1153
Views
0
Helpful
1
Replies

Stealthwatch NAT IP Host Groups best practice

iurii
Level 1
Level 1

‎04-12-2022 10:23 AM

Hi ppl,

 

I've just installed SNA in a small environment where I have only ASA as a Netflow (NSEL) source. This ASA also provides NAT for this network.

As I classify inside IPs as a DMZ, Inside, WiFi and/or Function Host Groups there is a question on classifying NAT IPs (Inside Global IPs) bound to inside one.

 

For example global IP 194.x.x.66 provides static NAT for accessing Web server 192.168.2.66 in DMZ. Both IPs represented as different entities in Hosts table.

 

So how should this NAT IPs be classified? Is it better to classify them as a NAT gateway or the same as inside host? Or there is another strategy?

0 Helpful
1 Reply 1

Philipp Tannich
Cisco Employee
Cisco Employee

‎08-09-2022 01:27 AM

Hey @iurii,

The Host Groups do not have that much of an impact as you might think.
It is more a speakable information that you know, e.g. this event is telling me, that server from host group A wants to connect to server in host group B. And if this sounds suspicious, you can dig deeper here.

However, what you have to think of is, that you can also assign rules/actions/etc to a host group. So when you e.g. want to trust a host group but the wrong servers are in, this can't be good.

Tl;dr, SNA does not care where you put the NAT gateway, but you have to make sure it suits your needs.

Hope this helps, cheers

0 Helpful
Customers Also Viewed These Support Documents