This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One to one NAT or assign a public IP to an interface.

Hello All,

     We decided to place our UTM 9 (SG-430) between our Cisco ASA and our Cisco 6500 Switch.

With that stated, we did not have to assign a public address on any interface. 

In essence we have been using the UTM as a secondary scrub of our network.

It also gives us more granular controls to users/network traffic(above layer 3).

We are using the Cisco ASA for S2S IPsec Connections and the Cisco AnyConnect Client.

Well, we now would like to use the UTM's VPN solutions like HTML5, client VPN, RED, etc..

Given the top level view, what implementation has been more reliable for those which may have a similar design?

1. Giving a One to One NAT assignment to the UTM (Public to Private).

2. Setting up a public IP on an interface(for VPN clients) then directing the traffic to exit the UTMs internal GW, our Core Switch. 

3. ?

Both methods will get a public DNS assignment which will be pointing to their respective public IP. 

 

Thanks



This thread was automatically locked due to age.
  • I always try to use auto rules in SSL VPN Remote Access profiles - a glance at that section is all that's needed to understand who has access to what.  Same for Site-to-Site where I see some people include everything in 'Local/Remote Networks' on both sides and then regulate with Firewall rules.  I prefer multiple tunnels so that I can see everything in one place.  Only when the requirement is to limit access to specific ports do I use manual rules.

    When it comes to complex Web Protection configurations with multiple Profiles, there are multiple firewall rules that are only visible at the command line using iptables commands.

    How is a zone in Cisco-speak any different than putting "Server (Network)" and "Storage (Network)" into a group called "Infrastructure" and then creating a firewall rule 'Infrastructure -> Any -> Infrastructure : Allow'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA