Options
"DMZ" on 2600 Router..
ncsugrad2002
Member Posts: 131
in CCNA & CCENT
What's the best way to go about basically creating a "DMZ" host on a 2600 or 1700 series?
On the internal network I'll have one computer that's a webserver, one that's FTP, a bunch (10-20) of regular internet users who just need typical NAT, then they're wanting one IP address to have all other traffic directed to it..basically like the DMZ port is on one of those cheap-o routers.
I can't figure out the best way to do this.. I thought about adding another wic-1enet and trying to route traffic to it that but wasn't really sure how to really go about it. The other option is of course to just keep the 2 ethernet ports that are there now and somehow route all unknown traffic to the particular IP address that is considered the dmz host then of course setup a dhcp reservation for that pc to always get the ip address that's designated for all that traffic.
Any ideas on how this would actually work? i'm sure the port range command in extended access lists would be part of it but not sure of all the details..
On the internal network I'll have one computer that's a webserver, one that's FTP, a bunch (10-20) of regular internet users who just need typical NAT, then they're wanting one IP address to have all other traffic directed to it..basically like the DMZ port is on one of those cheap-o routers.
I can't figure out the best way to do this.. I thought about adding another wic-1enet and trying to route traffic to it that but wasn't really sure how to really go about it. The other option is of course to just keep the 2 ethernet ports that are there now and somehow route all unknown traffic to the particular IP address that is considered the dmz host then of course setup a dhcp reservation for that pc to always get the ip address that's designated for all that traffic.
Any ideas on how this would actually work? i'm sure the port range command in extended access lists would be part of it but not sure of all the details..
Comments
-
Options
hypnotoad
Banned Posts: 915
Lacking another ethernet interface, perhaps you could put the DMZ servers in their own VLAN and then set ACLs to only allow the services you want. -
Optionsncsugrad2002
Member Posts: 131
Lacking another ethernet interface, perhaps you could put the DMZ servers in their own VLAN and then set ACLs to only allow the services you want.
Yeah, that's more or less how I was going to do it for known services. For some reason he wanted all "unknown" traffic to go to a particular IP address as well, like the DMZ port does on other cheapo routers. Ah well, the client decided not to go forward with a new router soo project is off for now anyways.