Gateway Router Changeout

Ok, I have a few idea's but I need everyones expertise

I've posted previous posts regarding this, but I'll start over.

I am replacing an edgemarc with a cisco 2811 router with 2 ports. I have the WAN going to our ISP on port fa0/0 and LAN on fa0/1. On the LAN I have a 192.168.0.1 network, and a 70.x.x.32 network. The 192 just needs to talk out, but the 70 are for servers, and some need to talk out and talk in, and need to be accessable from the WAN. I came up with a few sample configs with the help of a fellow cisco member, please ignore any misprints, or mispellings, this is just a rough draft:

Option 1

interface FastEthernet 0/0 
description Connection to Cox Cable 
ip address 68.x.x.1 255.255.255.252 
ip nat outside 
ip access-group 101 in 

interface FastEthernet 0/1.70 
description DMZ Network 70.x.x.x 
encapsulation dot1Q 70 
ip address 70.0.0.33 255.255.255.224 

interface FastEthernet 0/1.192 
description Internal Private Network 192.168.x.x 
encapsulation dot1Q 192 
ip address 192.168.0.1 255.255.255.0 
ip nat inside 

ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 

ip nat inside source list 1 interface FastEthernet 0/0 overload 

access-list 1 permit 192.168.0.0 0.0.0.255 

access-list 101 deny icmp any any redirect 
access-list 101 deny ip 10.0.0.0    0.255.255.255 any 
access-list 101 deny ip 192.168.0.0 0.0.255.255 any 
access-list 101 deny ip 172.16.0.0  0.15.255.255 any 
access-list 101 deny ip 127.0.0.0 0.255.255.255 any 
access-list 101 deny ip 224.0.0.0 31.255.255.255 any 
access-list 101 deny ip 70.0.0.32 255.255.255.224 
access-list 101 permit tcp any host 70.0.0.33 established 
access-list 101 permit tcp any host 70.0.0.34 eq www 
access-list 101 permit tcp any host 70.0.0.35 eq smtp 
access-list 101 permit tcp any host 70.0.0.36 eq ftp 
access-list 101 deny ip host 0.0.0.0 any

The switch will be VLAN'd to work with the above config.

Option 2 -

Configure Fa0/0 - 68.x.x.1 255.255.255.248 
Configure Fa0/1 - 192.168.0.100 255.255.255.0 
70.x.x.x 255.255.255.224 secondary
access-group 121 

On Fa0/0 - access-list 121 permit tcp any host 70.x.x.33 eq www 
access-list 121 permit tcp any host 70.x.x.34 eq ftp 
access-list 121 permit tcp any host 70.x.x.35 eq smtp 
And so on 
access-list 121 deny ip any any

192 network will have a NAT statement, not sure how to impliment it though. Feel free to make any corrections necessary, or any suggestions. It will be greatly appreciated!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

keenon

i would go with option 1

however i would specify any 192 addresses that will be able to completely connect to the servers

you may want to go with named acls as they will be easier to recognize when having to make changes.

Mr Big

keenon wrote:

however i would specify any 192 addresses that will be able to completely connect to the servers

What do you mean? If you mean internally I can...but to access a 70 network from the 192 it will basically go out and come back in, yeah it's more traffic, but hopefully in a year we will do a changeout.

marlon23

option 1 conf seems ok

Danman32

As long as the ISP knows to route the 70. network to the 68.x.x.x address on the Fa0/0 interface, that should be fine.

rossonieri#1

hello there,

you have :
deny ip 192.168.0.0 bla bla bla any
deny ip 172.16.0.0 bla bla bla any

the Q : how can they talk to the outer world?
IP protocol is lower then TCP in "OSI layer", dont care what you have in the upper layer if you have deny the lower one - the you should forget the rest.

and, if you want your server to talk behind NAT :
specify NAT inside on the intf,
ip nat inside source static tcp <server:port> <outer:port>

cheers...

david_r

Here's a first draft of something that might work.

interface FastEthernet 0/0 
description Connection to Cox Cable 
ip address 68.x.x.1 255.255.255.252 
ip access-group 101 in
ip access-group 102 out

access-list 101 permit tcp any host 70.0.0.33 established 
access-list 101 permit tcp any host 70.0.0.34 eq www 
access-list 101 permit tcp any host 70.0.0.35 eq smtp 
access-list 101 permit tcp any host 70.0.0.36 eq ftp

access-list 102 permit ip 70.0.0.32 0.0.0.31 any

On the incoming interface, it will allow sessions that .33 started, to function. It will allow www, smtp and ftp to .34, .35, and .36 respectively. It will deny everything else.

On the outgoing interface, it will allow your /27 full access to the outside world but your going to have some broke stuff if anything falls outside of what is allowed in ACL 101. You'll need something outbound. You could just not put an outbound ACL and let COX worry about dropping the non-routable packets. Or maybe you want to prevent other hosts on 70.x0.0.32/27 from getting out and need to get more granular?

BubbaJ

You probably want to make sure that you can't telnet to the router from the WAN, and check for unicast RPF to make sure you don't get spoofed.

Mr Big

david_r wrote:
Here's a first draft of something that might work.
interface FastEthernet 0/0 
description Connection to Cox Cable 
ip address 68.x.x.1 255.255.255.252 
ip access-group 101 in
ip access-group 102 out

access-list 101 permit tcp any host 70.0.0.33 established 
access-list 101 permit tcp any host 70.0.0.34 eq www 
access-list 101 permit tcp any host 70.0.0.35 eq smtp 
access-list 101 permit tcp any host 70.0.0.36 eq ftp

access-list 102 permit ip 70.0.0.32 0.0.0.31 any
On the incoming interface, it will allow sessions that .33 started, to function. It will allow www, smtp and ftp to .34, .35, and .36 respectively. It will deny everything else.

On the outgoing interface, it will allow your /27 full access to the outside world but your going to have some broke stuff if anything falls outside of what is allowed in ACL 101. You'll need something outbound. You could just not put an outbound ACL and let COX worry about dropping the non-routable packets. Or maybe you want to prevent other hosts on 70.x0.0.32/27 from getting out and need to get more granular?

Actually, I do need this subnet to get out. This range of IP's are reserved for servers. That config will work. Thanks for all the feedback!!!

david_r

Mr Big,
Remember, that was a first draft. you'll need to allow your TCP established traffic to your other servers and your WAN interface back in. I.e. Your POP mail and NAT are currently broken. I think I'd permit ICMP for now and some sort of access or you'll be driving back into work. You can set up a local UN/PW on your vty to make it a little more secure but that'd be up to your security policy.