We have three 2801 routers and one ASA 5505. All connected by a VPN configuration. I have noticed that the other admins did the following configuration:
1. they did not assign ip nat inside, ip nat outside on each interface
2. they did not make NAT on the external interface
3. they only put the ip route to the ASA where we have published our application using Citrix.
example: ip route 0.0.0.0 0.0.0.0 10.1.1.1
4. they made an Access list on each router to allow the internal IP generated by by a DHCP pool to access the IP address of the Application server behind the ASA firewall.
ip route 192.168.1.10 255.255.255.255 10.1.1.1
access-list 100 permit ip 172.16.1.0 0.0.0.255 host 192.168.1.10
in this way our users will put in the Remote connection the IP address 192.168.1.10 and the router will forward the request to the 10.1.1.1 our firewall
5. they inserted an access list with a static statement on the ASA to allow requests from 172.16.1.0 to access the host 192.168.1.10
10.1.1.1 is the external IP of the ASA
192.168.1.10 is the IP address of the Server behind the ASA
172.16.1.0 is the DHCP pool made on the router for internal users
this procedure is made on all 2 remaining routers.
could you please show me what security risks there might be in such design? or any problems that might rise by not natting or identifying what is insde interface what is outside with no deny or permit access lists.
I did a simple remote desktop connection from a PC coonected to one router to another PC setting on the other side of another router and I managed to remote successfully. this is one thing. but I need more insights and suggestions of possible.