Gateway Router Changeout
Mr Big
Member Posts: 47 ■■□□□□□□□□
in CCNA & CCENT
Ok, I have a few idea's but I need everyones expertise
I've posted previous posts regarding this, but I'll start over.
I am replacing an edgemarc with a cisco 2811 router with 2 ports. I have the WAN going to our ISP on port fa0/0 and LAN on fa0/1. On the LAN I have a 192.168.0.1 network, and a 70.x.x.32 network. The 192 just needs to talk out, but the 70 are for servers, and some need to talk out and talk in, and need to be accessable from the WAN. I came up with a few sample configs with the help of a fellow cisco member, please ignore any misprints, or mispellings, this is just a rough draft:
Option 1
The switch will be VLAN'd to work with the above config.
Option 2 -
192 network will have a NAT statement, not sure how to impliment it though. Feel free to make any corrections necessary, or any suggestions. It will be greatly appreciated!
I've posted previous posts regarding this, but I'll start over.
I am replacing an edgemarc with a cisco 2811 router with 2 ports. I have the WAN going to our ISP on port fa0/0 and LAN on fa0/1. On the LAN I have a 192.168.0.1 network, and a 70.x.x.32 network. The 192 just needs to talk out, but the 70 are for servers, and some need to talk out and talk in, and need to be accessable from the WAN. I came up with a few sample configs with the help of a fellow cisco member, please ignore any misprints, or mispellings, this is just a rough draft:
Option 1
interface FastEthernet 0/0 description Connection to Cox Cable ip address 68.x.x.1 255.255.255.252 ip nat outside ip access-group 101 in interface FastEthernet 0/1.70 description DMZ Network 70.x.x.x encapsulation dot1Q 70 ip address 70.0.0.33 255.255.255.224 interface FastEthernet 0/1.192 description Internal Private Network 192.168.x.x encapsulation dot1Q 192 ip address 192.168.0.1 255.255.255.0 ip nat inside ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 ip nat inside source list 1 interface FastEthernet 0/0 overload access-list 1 permit 192.168.0.0 0.0.0.255 access-list 101 deny icmp any any redirect access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 deny ip 70.0.0.32 255.255.255.224 access-list 101 permit tcp any host 70.0.0.33 established access-list 101 permit tcp any host 70.0.0.34 eq www access-list 101 permit tcp any host 70.0.0.35 eq smtp access-list 101 permit tcp any host 70.0.0.36 eq ftp access-list 101 deny ip host 0.0.0.0 any
The switch will be VLAN'd to work with the above config.
Option 2 -
Configure Fa0/0 - 68.x.x.1 255.255.255.248 Configure Fa0/1 - 192.168.0.100 255.255.255.0 70.x.x.x 255.255.255.224 secondary access-group 121 On Fa0/0 - access-list 121 permit tcp any host 70.x.x.33 eq www access-list 121 permit tcp any host 70.x.x.34 eq ftp access-list 121 permit tcp any host 70.x.x.35 eq smtp And so on access-list 121 deny ip any any
192 network will have a NAT statement, not sure how to impliment it though. Feel free to make any corrections necessary, or any suggestions. It will be greatly appreciated!
Comments
-
keenon
Member Posts: 1,922 ■■■■□□□□□□
i would go with option 1
however i would specify any 192 addresses that will be able to completely connect to the servers
you may want to go with named acls as they will be easier to recognize when having to make changes.Become the stainless steel sharp knife in a drawer full of rusty spoons -
Mr Big
Member Posts: 47 ■■□□□□□□□□
keenon wrote:
however i would specify any 192 addresses that will be able to completely connect to the servers
What do you mean? If you mean internally I can...but to access a 70 network from the 192 it will basically go out and come back in, yeah it's more traffic, but hopefully in a year we will do a changeout. -
marlon23
Member Posts: 164 ■■□□□□□□□□
option 1 conf seems ok
LAB: 7609-S, 7606-S, 10008, 2x 7301, 7204, 7201 + bunch of ISRs & CAT switches -
Danman32
Member Posts: 1,243
As long as the ISP knows to route the 70. network to the 68.x.x.x address on the Fa0/0 interface, that should be fine.
-
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
hello there,
you have :
deny ip 192.168.0.0 bla bla bla any
deny ip 172.16.0.0 bla bla bla any
the Q : how can they talk to the outer world?
IP protocol is lower then TCP in "OSI layer", dont care what you have in the upper layer if you have deny the lower one - the you should forget the rest.
and, if you want your server to talk behind NAT :
specify NAT inside on the intf,
ip nat inside source static tcp <server:port> <outer:port>
cheers...the More I know, that is more and More I dont know. -
david_r
Member Posts: 112
Here's a first draft of something that might work.
interface FastEthernet 0/0 description Connection to Cox Cable ip address 68.x.x.1 255.255.255.252 ip access-group 101 in ip access-group 102 out access-list 101 permit tcp any host 70.0.0.33 established access-list 101 permit tcp any host 70.0.0.34 eq www access-list 101 permit tcp any host 70.0.0.35 eq smtp access-list 101 permit tcp any host 70.0.0.36 eq ftp access-list 102 permit ip 70.0.0.32 0.0.0.31 any
On the incoming interface, it will allow sessions that .33 started, to function. It will allow www, smtp and ftp to .34, .35, and .36 respectively. It will deny everything else.
On the outgoing interface, it will allow your /27 full access to the outside world but your going to have some broke stuff if anything falls outside of what is allowed in ACL 101. You'll need something outbound. You could just not put an outbound ACL and let COX worry about dropping the non-routable packets. Or maybe you want to prevent other hosts on 70.x0.0.32/27 from getting out and need to get more granular? -
BubbaJ
Member Posts: 323
You probably want to make sure that you can't telnet to the router from the WAN, and check for unicast RPF to make sure you don't get spoofed.
-
Mr Big
Member Posts: 47 ■■□□□□□□□□
david_r wrote:Here's a first draft of something that might work.
interface FastEthernet 0/0 description Connection to Cox Cable ip address 68.x.x.1 255.255.255.252 ip access-group 101 in ip access-group 102 out access-list 101 permit tcp any host 70.0.0.33 established access-list 101 permit tcp any host 70.0.0.34 eq www access-list 101 permit tcp any host 70.0.0.35 eq smtp access-list 101 permit tcp any host 70.0.0.36 eq ftp access-list 102 permit ip 70.0.0.32 0.0.0.31 any
On the incoming interface, it will allow sessions that .33 started, to function. It will allow www, smtp and ftp to .34, .35, and .36 respectively. It will deny everything else.
On the outgoing interface, it will allow your /27 full access to the outside world but your going to have some broke stuff if anything falls outside of what is allowed in ACL 101. You'll need something outbound. You could just not put an outbound ACL and let COX worry about dropping the non-routable packets. Or maybe you want to prevent other hosts on 70.x0.0.32/27 from getting out and need to get more granular?
Actually, I do need this subnet to get out. This range of IP's are reserved for servers. That config will work. Thanks for all the feedback!!! -
david_r
Member Posts: 112
Mr Big,
Remember, that was a first draft. you'll need to allow your TCP established traffic to your other servers and your WAN interface back in. I.e. Your POP mail and NAT are currently broken. I think I'd permit ICMP for now and some sort of access or you'll be driving back into work. You can set up a local UN/PW on your vty to make it a little more secure but that'd be up to your security policy.
