This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One to one NAT or assign a public IP to an interface.

Hello All,

     We decided to place our UTM 9 (SG-430) between our Cisco ASA and our Cisco 6500 Switch.

With that stated, we did not have to assign a public address on any interface. 

In essence we have been using the UTM as a secondary scrub of our network.

It also gives us more granular controls to users/network traffic(above layer 3).

We are using the Cisco ASA for S2S IPsec Connections and the Cisco AnyConnect Client.

Well, we now would like to use the UTM's VPN solutions like HTML5, client VPN, RED, etc..

Given the top level view, what implementation has been more reliable for those which may have a similar design?

1. Giving a One to One NAT assignment to the UTM (Public to Private).

2. Setting up a public IP on an interface(for VPN clients) then directing the traffic to exit the UTMs internal GW, our Core Switch. 

3. ?

Both methods will get a public DNS assignment which will be pointing to their respective public IP. 

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hi, Mario, and welcome to the UTM Community!

    If you're not going to use IPsec, both of your methods will work.  With IPsec, 1 is possible, but not elegant.

    Your topology is not clear.  Is the UTM currently bridged between your LANs and your Cisco or do you have only a single interface defined for each internal Ethernet segment or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

     

    Thanks for the response and advise.

    The UTM is indeed bridged. 

     

    WAN Router-->ASA-->UTM-If4-->bridged to UTM-If8-->Core Switch

     

    I have an appointment with an engineer from the Sophos Boston office next week. I will let you folks know what the recommendation is 

    with regards to our network. 

     

    Mario 

  • Sophos engineer coming around? My guess is they will recommend the UTM on the edge and ditch the ASA (just my guess though) unless there's anything there that can't be changed.

    We moved off the ASA's (5520's) and onto active/failover SG310's on our 2 core sites.

    We have ipsec vpn's site to site, roadwarriors, multiple leased lines, dmz's, smtp proxy, you name it, we have it. We also run the UTM in conjunction with Sophos endpoint protection (standalone, not the UTM variety as we have 1000 users)

    All in all, we're very happy with the purchase and it was far, far cheaper than Cisco. Don't get me wrong, I love our Cisco kit, routers, switches etc but the ASA at the time just wasn't cutting it at the time for what we wanted.

    With any product change, you will get things you like and things you miss. For me, I miss the realtime log viewer on Cisco but this is easily overcome with tcpdump and syslog.

    I've also found that once your firewall rules start getting high in terms of numbers of rules, the GUI isn't quite as clear as the Cisco although this doesn't detract from it's use etc. Just takes a little while getting used to.

    So all in all, we are very happy with the UTM so don't be afraid if the Sophos engineer advises putting it on the edge instead of the engineer.

    One piece of advice though is to read the sticky on here called RULZ especially if you are going to use the more exotic stuff on the UTM eg web protection, web application firewall, smtp proxy etc. For me, rule number 2 is the one that has tripped me a few times and it's vital to know in which order connections are processed. If you read that doc and take it in, you will have a good understanding of the UTM.

  • Update,    

     

       The engineer did indeed recommend trashing the ASA...LOL

     

    So, as most of you would foresee/suggest, the engineer recommended LOTS of NAT.

     

    Other tips: 

    - Ideal to have a public address per solution (i.e. RED, SSL, HTML5*)

    * He suggested strongly NOT to use HTML5 unless it was a small group (1-10).  I administer an SG430.

    -  Use the UTMs cert before using an external one.

    -  If you have to have Ikev2, which UTM does not, use a spare Cisco router if available. I do not so ASA will eventually will remain a VPN device for Ikev2 S2S connections. 

        The FW/NAT/ACLs will be moved over to the UTM, if we decide to stick to is.......has been a real sore spot lately. 

     

    Thank you folks for contributing.

     

    Mario 

     

Reply
  • Update,    

     

       The engineer did indeed recommend trashing the ASA...LOL

     

    So, as most of you would foresee/suggest, the engineer recommended LOTS of NAT.

     

    Other tips: 

    - Ideal to have a public address per solution (i.e. RED, SSL, HTML5*)

    * He suggested strongly NOT to use HTML5 unless it was a small group (1-10).  I administer an SG430.

    -  Use the UTMs cert before using an external one.

    -  If you have to have Ikev2, which UTM does not, use a spare Cisco router if available. I do not so ASA will eventually will remain a VPN device for Ikev2 S2S connections. 

        The FW/NAT/ACLs will be moved over to the UTM, if we decide to stick to is.......has been a real sore spot lately. 

     

    Thank you folks for contributing.

     

    Mario 

     

Children
No Data