«

I Have a 1721 with a second Ethernet NIC. The WIN-ENET1 card is
connected to the DSL modem and doing PPPoE. the IOS that is on it is:
c1700-k9o3sy7-mz.122-11.T10.bin Its been a while since we have used
the Router, so I dont remember whats included in the Feature Set.

I'm using NAT to get out thought the Dynamic assigned address.

How secure is this setup? If I have 3 PCs behind the NATed external
Address can someone connect to that outside address and get access to
the internal Machines?

What should I do to prevent this?

Thanks,
Scott<-

Hi Scooter,

> I'm using NAT to get out thought the Dynamic assigned address.
>
> How secure is this setup?

Thats begs the question, how much "security" do you want? I will
assume a standard home user level of security requirements, no
business needs.

The "default" configuration for using NAT on Cisco devices only allows
INBOUND traffic to pass that has been REQUESTED by something from the
"inside". No unsolicited traffic can pass inbound through the default
Cisco NAT, so all devices behind the Cisco device doing the NAT are
fairly "safe" from unsolicited traffic.

However remember that the device doing NAT still has a public side
that may need further "protection", its up to the operator of that
device to determine what else they may need to do.

> If I have 3 PCs behind the NATed external
> Address can someone connect to that outside address and get access to
> the internal Machines?

Not unless you specifically allow something through the NAT device.

> What should I do to prevent this?

As for as NAT goes, whatever is behind a basic NAT setup should be
reasonably safe, PROVIDED you do not have anything configured to allow
something through.

Cheers..............pk.

"Peter" <> wrote in message
news:42294493$...
> Hi Scooter,
>
> > I'm using NAT to get out thought the Dynamic assigned address.
> >
> > How secure is this setup?
>
> Thats begs the question, how much "security" do you want? I will
> assume a standard home user level of security requirements, no
> business needs.
>
> The "default" configuration for using NAT on Cisco devices only allows
> INBOUND traffic to pass that has been REQUESTED by something from the
> "inside". No unsolicited traffic can pass inbound through the default
> Cisco NAT, so all devices behind the Cisco device doing the NAT are
> fairly "safe" from unsolicited traffic.
>
> However remember that the device doing NAT still has a public side
> that may need further "protection", its up to the operator of that
> device to determine what else they may need to do.
>

Actually, the default as you described is for PAT. However, if the user has
a pool of addresses that are assigned and the address will use all ports,
then the devices are left wide open.

> > If I have 3 PCs behind the NATed external
> > Address can someone connect to that outside address and get access to
> > the internal Machines?
>
> Not unless you specifically allow something through the NAT device.
>

Yes... Nat, simply is an address translation. Once the translation is
setup, all traffic will pass.

> > What should I do to prevent this?
>
> As for as NAT goes, whatever is behind a basic NAT setup should be
> reasonably safe, PROVIDED you do not have anything configured to allow
> something through.
>
> Cheers..............pk.

I would at a minimum add an access list and use the keyword 'established'.
However, that has it's own problems. If you have the license, use CBAC.

Hope that helps,

Jim

Scooby wrote:

> I would at a minimum add an access list and use the keyword
> 'established'.
> However, that has it's own problems. If you have the license, use CBAC.

Yes. without that, anybody knowing the local inside address of a natted host
can at least ping it, at worst don't know.Surely you can discover what 's
behind a nat if admin isn't protecting it with access list or other.

In article < .com>,
Scooter <> wrote:
:I'm using NAT to get out thought the Dynamic assigned address.

:How secure is this setup?

Not very. See a discussion of the issue I wrote up awhile ago,
http://groups.google.ca/groups?selm=...c.umanitoba.ca

If you want some real harsh (but theoretically correct) criticism of
NAT, then look for postings by Melinda Shore.
--
Are we *there* yet??

So I just Picked up a PIX 501 10 User on eBay for $307. I'm guessing
that should pretty much eliminate my security issues. (-; Of Course
I'll need to configure it right! (-;

Has the same IOS as my PIX 515 at the office, so is should be okay.

Thank you all for the replies!