RE: NAT-ASA-Juniper Security

From: Steve Means (smeans@ccbootcamp.com)
Date: Thu Mar 05 2009 - 14:25:04 ARST

• Next message: Edouard Zorrilla: "Re: NAT-ASA-Juniper Security"
• Previous message: Edouard Zorrilla: "Re: NAT-ASA-Juniper Security"
• Maybe in reply to: Shahid Ansari: "NAT-ASA-Juniper Security"
• Next in thread: Edouard Zorrilla: "Re: NAT-ASA-Juniper Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I guess one question here is why the need for multiple inline firewalls from a
design standpoint?

Assuming there is some reason, why is multiple NAT being considered? Is it
purposeful? Can one device simply NOT nat and just filter/route?

Yes the ASA can nat if real IP is several hops away. As you hit on, its just
needs to know where to send those packets. Either with a static route or an
IGP.

As for where to put the DMZ in that diagram it really depends on what you're
hoping to accomplish. If you want TWO different vendor devices to take a look
at packets from the outside to the DMZ for security reasons, hang it off the
juniper.

If you're less concerned with the DMZ servers themselves and more with your
inside network then hang it off the ASA. Incoming packets get looked at by the
ASA. If the DMZ servers are breached they still have to get past the juniper.

These are just generalities and it would really take a sit down and review of
the traffic to give a solid answer.

Steve Means
Security Instructor/Consultant
smeans@ccbootcamp.com
CCBOOTCAMP - A Cisco Learning Partner
877.654.2243 Toll Free
+1.702.968.5100 Direct Outside the USA
+1.702.446.0357 Fax
YES! We take Cisco Learning Credits
Training And Remote Racks: http://www.ccbootcamp.com
<http://www.ccbootcamp.com/>

________________________________

From: nobody@groupstudy.com on behalf of Shahid Ansari
Sent: Thu 3/5/2009 7:24 AM
To: Cisco certification; Cisco certification; Farrukh Haroon
Subject: NAT-ASA-Juniper Security

Hi Sec.Guys,

I have question regarding NAT . As I am configuring inside NAT on ASA ,did
NATTing works on ASA if REAL IP is one or Two hop Away from ASA.
and if it works how ASA know to reach that host ? by static routes.
If I do double NAT ,I can face problems with Streamline applications(Voice)
,what about Bypass NAT ?
Below What is the best place to creat DMZs for external Web servers on ASA
or On Juniper.

Design 1
Internet Router-----ASA----Juniper----Internal Servers(Email Server)
                           !
                           !
                        DMZ Web servers,Ex.Email server

Internet router , ASA outside has public Block

OR

Design 2
Internet Router-----ASA----Juniper----Internal Servers(Email Server)
                                       !
                                       !
                        DMZ Web servers,Ex.Email server

Any help or clue is really appreciable.....

Thanks
Shahid Ansari

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>

• Next message: Edouard Zorrilla: "Re: NAT-ASA-Juniper Security"
• Previous message: Edouard Zorrilla: "Re: NAT-ASA-Juniper Security"
• Maybe in reply to: Shahid Ansari: "NAT-ASA-Juniper Security"
• Next in thread: Edouard Zorrilla: "Re: NAT-ASA-Juniper Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART