50.4 Running Servers with Cisco Cisco Forum FAQ - dslreports.com

			Search:
	login · register

FAQs

how-to block ads

	Search for: in all FAQs
All FAQs » Cisco Forum FAQ » 50.4 Running Servers with Cisco
FAQ Revisions	Editors: skj , Covenant , aryoba , Phraxos Last modified on 2009-06-29 08:36:07

50.4 Running Servers with Cisco ·Router configuration to run server (port forwarding) ·PIX Firewall/ASA configuration to run server (port forwarding) ·Separate Internet: Dedicate T1/E1 for server, dedicate DSL/Cable for LAN
Router configuration to run server (port forwarding) (#8359)
Suggested prerequisite reading »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice For illustration purposes, I use: * Cisco 806 router (2 Ethernet ports) * ISP provided static IPs * ISP provided DNS * PPPoE (have to put username and password to connect to ISP) Note: 1) When your ISP doesn't use PPPoE If your ISP does not use PPPoE, this configuration can be easily modified to suit other type of ISP connections (i.e. Static, DHCP, PPPoA). Check out other part of this forum's FAQ for such situation. Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco 2) For servers other than FTP Also for illustration purposes, I run FTP server behind the router. This configuration can be modified to also have web server, mail server, or just any public servers that run on specific TCP or UDP port/ports. When you run web server, you can replace the TCP port 20 and 21 with TCP port 80 (the standard web port). As for mail server, replace with TCP port 25 (the standard mail port). For other servers, confirm your software configuration of the TCP/UDP port it uses. Background Just a bit of explanation. E0 interface is for inside network (LAN interface). E1 is for outside (ISP or WAN physical interface). Dialer1 is for PPPoE (the "actual"/logical WAN interface). The 1.0.0.13 is ISP provided static IP address for the use of the server. This configuration example is for running FTP server, which uses the standard TCP port 20 and 21. The LAN uses 10.10.10.0 network with 255.255.255.0 subnet for both servers and workstations. All servers within the LAN use static IP address. The router is configured as DHCP server to give out IP info (IP addresses, subnet mask, DNS) to workstations that are configured as DHCP client. Basically I suggest that you deploy NAT (Network Address Translation) and/or PAT (Port Address Translation) to setup your own servers behind Cisco router. In this sample configuration, there will be two PAT in place between Public and Private IP addresses. One is dynamic PAT which uses single Public IP address for all local workstations. Another one is static PAT which uses single Public IP address for servers. When using NAT/PAT, keep in mind that the Internet-accessible servers are seen from the Internet as their NAT/PAT-ed IP address (the Public IP address) and not the local IP address (not the Private IP address). The connection from the Internet users to the Public IP address will then be forwarded by the NAT/PAT device, which in this case is the router, according to the router's routing table. In other words, the router will (TCP/UDP) port forward connection from the Public IP address to the actual Private IP address after proper network's routing table is in place. This understanding is very important when you or someone need to test connectivity to the server and/or when you need to create filter (access list or ACL for short) to allow only certain incoming traffic from the Internet and block others. Side Note: For more info on NAT/PAT concept, check out the following FAQ »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice Instruments used in this illustration are pretty much standard for running your own servers. Please note that IP addresses, username, and password are changed. However, you could always modify the configuration to suit your situation. This sample configuration assumes that you have a block of IP addresses from ISP. There is a dedicated Public IP address for the router WAN interface (the Dialer1 interface) and another dedicated Public IP address for the server PAT IP address. In this sample configuration, typical users from 10.10.10.0/24 network are dynamically PAT-ed to the Dialer1 interface IP address when the users are going out to the Internet. When the 10.10.10.2 machine need to go out to the Internet or need to communicate with users on the Internet, then the 10.10.10.2 is statically PAT/NAT-ed to the 1.0.0.13 Public IP address. If you only have single Public IP address for both router WAN interface and server PAT IP address instead of a block of IP addresses, there are several ways to configure the router. One way is to use the same command as shown in sample configuration. ip nat inside source static tcp 10.10.10.2 21 1.1.1.14 21 extendable This one configuration way is suitable when you have static IP address from your ISP and you know exactly what the IP address is. In this case you have the 1.1.1.14 single static IP address for both the WAN interface and Public server IP address. Note that the command above shows the static PAT between Public IP address (the 1.1.1.14) and Private IP address (the 10.10.10.2). When you are unsure which IP address you receive from the ISP, or when your Public IP address keep changing; then another way to configure the static PAT is following ip nat inside source static tcp 10.10.10.2 21 interface Dialer1 21 extendable With situation of dynamic IP address, at some point you still need to know the exact Public IP address you receive from your ISP for server connection testing and production time. To find out, you can issue show ip interface brief command on the router. You will then see the associated WAN interface Public IP address. Note that the command above shows the static PAT between the Dialer1 interface Public IP address (the one that shows on the show ip interface brief display) and Private IP address (the 10.10.10.2). Between Static and Dynamic IP Address Assignment for LAN Machines Typically, servers are having static IP addresses where regular workstations are having dynamic IP addresses. As mentioned, all LAN machines (including servers and workstations) are within 10.10.10.0/24 subnet. Let's say you dedicate 10.10.10.1 for router, 10.10.10.2 - 10.10.10.14 for servers, and the rest (10.10.10.15 - 10.10.10.254) for workstations. This illustration assumes all workstations are receiving dynamic IP address (as DHCP client) from router which is acting as the LAN DHCP server; as indicated by the ip dhcp pool CLIENT command. Since router and servers are having static IP addresses, you exclude 10.10.10.1 - 10.10.10.14 from DHCP pool. This is where you need the ip dhcp excluded-address 10.10.10.1 10.10.10.14 command in place. For routers that only have one Ethernet port As mentioned, this sample configuration uses 2-Ethernet-port router. In cases that your router have one Ethernet port as LAN side and one DSL (ATM) port as WAN side, you could check out the following link: Configuring Network Address Translation and Static Port Address Translation to Support an Internal Web Server From the link, you can see how similar and how different the configurations are. Tips * You can use any computer, running any operating system with any generic FTP or other server software. There is no exclusiveness * Make sure that the ports you plan to use are not used by other program. * Also make sure that your ISP does not block the port you plan to use * You can use generic port scanner software to find out if the port you plan to use is available * Setup the FTP software to have the FTP server to use port 21 (standard port) * FYI, port 21 only handle the connection and data is sent over port 20. With both ports PAT'd you will be able to use both PASV & PORT connections to your FTP server * To verify the configuration, access the server from OUTSIDE network (i.e. from the Internet) and NOT from your own LAN. For this illustration, run an Internet browser (Internet Explorer, Netscape) and open »ftp://1.0.0.13:21 The Sample Configuration Finally, here is the "show running-config" output. no parser cache no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! logging buffered 4096 informational enable secret 5 ******** ! ip subnet-zero ! ! !!!!!! Configuring the router as DHCP server ip dhcp excluded-address 10.10.10.1 10.10.10.14 ! ip dhcp pool CLIENT network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 !!!!!! ! no ip dhcp-client network-discovery vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! ! !!!!!! This is the LAN side interface Ethernet0 !!!!!! The IP address for the router ip address 10.10.10.1 255.255.255.0 !!!!!! ip nat inside no cdp enable hold-queue 32 in ! !!!!!! Note that e1 has no IP address interface Ethernet1 no ip address !!!!!! pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! !!!!!! The ISP's given IP address will be configured via d1 interface Dialer1 ip address negotiated !!!!!! ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ***** ppp chap password 7 *** ppp pap sent-username **** password 7 *** ppp ipcp route default ! !!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address !!!!!! and local IP addresses within ACL 10 ip nat inside source list 10 interface Dialer1 overload ! !!!!!! This is the important part: !!!!!! The server is an FTP running generic FTP software !!!!!! The FTP server is in inside network using IP address 10.10.10.2 !!!!!! This configuration uses PAT (Port Address Translation) which deploys !!!!!! port 20 and 21 (standard ports for FTP) !!!!!! !!!!!! The "ip nat inside source static" is the actual static PAT command for !!!!!! running servers with Cisco router where the port forwarding takes place !!!!!! between the Public and the Private IP address on specific TCP or UDP port !!!!!! !!!!!! Note that the word "extendable" is automatically added by the router !!!!!! You don't have to enter the word when you configure the router !!!!!! ip nat inside source static tcp 10.10.10.2 20 1.0.0.13 20 extendable ip nat inside source static tcp 10.10.10.2 21 1.0.0.13 21 extendable ip classless !!!!!! This command is to make the router configurable using web browser !!!!!! such as Internet Explorer or Netscape, which is totally optional. !!!!!! You can turn the feature off by entering "no ip http server" !!!!!! ip http server !!!!!! ! access-list 10 remark Local IP addresses for the dynamic PAT with the Dialer1 interface IP address access-list 10 permit 10.10.10.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run ! line con 0 exec-timeout 120 0 stopbits 1 line vty 0 4 exec-timeout 0 0 login local length 0 ! scheduler max-task-time 5000 end Command Adjustment for Specific Needs The above sample configuration shows how to provide FTP access to public. When you need to provide other access type such as Web or Mail, following is the command adjustment needed. To run Public Web Server, following is the command ip nat inside source static tcp 10.10.10.2 80 1.0.0.13 80 extendable ip nat inside source static tcp 10.10.10.2 443 1.0.0.13 443 extendable To run Public Mail Server, following is the command ip nat inside source static tcp 10.10.10.2 25 1.0.0.13 25 extendable To run both Public Web and Mail Server that resides on different LAN machines, following is the list of commands. ip nat inside source static tcp 10.10.10.2 25 1.0.0.13 25 extendable ip nat inside source static tcp 10.10.10.3 80 1.0.0.13 80 extendable ip nat inside source static tcp 10.10.10.3 443 1.0.0.13 443 extendable where 10.10.10.2 is the Mail Server and 10.10.10.3 is the Web Server. To run both Public Web and Mail Server that resides on different LAN machines and each has its own Public IP address, following is the list of commands. ip nat inside source static tcp 10.10.10.2 25 1.0.0.12 25 extendable ip nat inside source static tcp 10.10.10.3 80 1.0.0.13 80 extendable where 10.10.10.2 is the LAN Mail Server and 1.0.0.12 is the Public Mail Server. Similarly, 10.10.10.3 is the LAN Web Server and 1.0.0.13 is the Public Web Server. If you like to dedicate 1.0.0.12 only for 10.10.10.2 machine and to dedicate 1.0.0.13 only for 10.10.10.3 machine, then you can do Static NAT instead as follows. ip nat inside source static 10.10.10.2 1.0.0.12 extendable ip nat inside source static 10.10.10.3 1.0.0.13 extendable With such Static NAT implementation, you should have inbound ACL on the router WAN interface or some Internet firewall to regulate which inbound Internet traffic that can access those dedicated Public IP addresses for better network security. Following is a sample. »Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature Having Servers on DMZ Scenario 1: NAT/PAT for both DMZ and Inside networks Let's say there is DMZ network of 10.10.10.0/24 where the Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as they are, therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL 100. Following is the sample configuration. no parser cache no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! logging buffered 4096 informational enable secret 5 ****** ! ip subnet-zero ! ! !!!!!! Configuring the router as DHCP server ip dhcp excluded-address 10.0.0.1 10.0.0.14 ! ip dhcp pool CLIENT network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.2 !!!!!! ! no ip dhcp-client network-discovery vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! ! !!!!!! This is the LAN side interface Ethernet0 !!!!!! The IP address for the router LAN interface ip address 10.0.0.1 255.255.255.0 !!!!!! ip nat inside no cdp enable hold-queue 32 in ! !!!!!! Note that e1 has no IP address interface Ethernet1 no ip address !!!!!! pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! !!!!!! This is the DMZ side interface Ethernet2 !!!!!! The IP address for the router DMZ interface ip address 10.10.10.1 255.255.255.0 !!!!!! ip access-group 100 in ip nat inside no cdp enable hold-queue 32 in ! !!!!!! The ISP's given IP address will be configured via d1 interface Dialer1 ip address negotiated !!!!!! ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ***** ppp chap password 7 *** ppp pap sent-username **** password 7 *** ppp ipcp route default ! !!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address !!!!!! and local IP addresses within ACL 10 ip nat inside source list 10 interface Dialer1 overload ! !!!!!! This is the important part: !!!!!! The server is an FTP running generic FTP software !!!!!! The FTP server is in DMZ network using IP address 10.10.10.2 !!!!!! This configuration uses PAT (Port Address Translation) which deploys !!!!!! port 20 and 21 (standard ports for FTP) !!!!!! !!!!!! The "ip nat inside source static" is the actual static PAT command for !!!!!! running servers with Cisco router where the port forwarding takes place !!!!!! between the Public and the Private IP address on specific TCP or UDP port !!!!!! !!!!!! Note that the word "extendable" is automatically added by the router !!!!!! You don't have to enter the word when you configure the router !!!!!! ip nat inside source static tcp 10.10.10.2 20 1.0.0.13 20 extendable ip nat inside source static tcp 10.10.10.2 21 1.0.0.13 21 extendable ip classless !!!!!! This command is to make the router configurable using web browser !!!!!! such as Internet Explorer or Netscape, which is totally optional. !!!!!! You can turn the feature off by entering "no ip http server" !!!!!! ip http server !!!!!! ! access-list 10 remark Local IP addresses for the dynamic PAT with the Dialer1 interface IP address access-list 10 permit 10.0.0.0 0.255.255.255 access-list 100 remark Permitable Access From DMZ to Inside access-list 100 permit udp 10.10.10.0 0.0.0.255 host 10.0.0.2 eq 53 access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 permit ip 10.10.10.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run ! line con 0 exec-timeout 120 0 stopbits 1 line vty 0 4 exec-timeout 0 0 login local length 0 ! scheduler max-task-time 5000 end Scenario 2: NAT/PAT only for Inside network, no NAT/PAT for DMZ network So far the presented sample configurations use 1.0.0.8/29 as the NAT/PAT IP subnet. In this sample configuration, there is an addition IP subnet of 1.0.0.0/30. The 1.0.0.0/30 is used as the NAT/PAT IP subnet for Inside network. DMZ network does not use NAT/PAT at all, instead the DMZ network uses the 1.0.0.8/29 directly. The idea behind this setup is to avoid unnecessary DNS BIND to resolve DMZ server name to both Public IP and Private IP addresses. With DMZ network having the Public IP address of 1.0.0.8/29 directly assigned, DMZ server DNS name resolves to always its associated Public IP address regardless of where the incoming traffic come from, either from the Internet or from the Inside network. More info on this issue can be found in the following FAQ. »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice Now let's describe the network setup. The 1.0.0.8/29 IP subnet is assigned directly to all DMZ machines. A 1.0.0.14 is used as the DMZ network default gateway, which is also the router DMZ interface IP address. The Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as they are, therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL 100. There is no NAT/PAT in place for DMZ network to go out to the Internet. There is NAT/PAT in place for Inside network to go out to the Internet. All Inside network machines are PAT-ed to 1.0.0.2 IP address to go out to the Internet, which is the router WAN interface IP address. The DMZ network still hosts FTP server, which is directly assigned 1.0.0.13 IP address. For security, there is ACL 101 to permit only necessary incoming traffic from the Internet and block others. Following is the sample configuration. no parser cache no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! logging buffered 4096 informational enable secret 5 ****** ! ip subnet-zero ! ! !!!!!! Configuring the router as DHCP server ip dhcp excluded-address 10.0.0.1 10.0.0.14 ! ip dhcp pool CLIENT network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.2 !!!!!! ! no ip dhcp-client network-discovery vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! ! !!!!!! This is the LAN side interface Ethernet0 !!!!!! The IP address for the router LAN interface ip address 10.0.0.1 255.255.255.0 !!!!!! ip nat inside no cdp enable hold-queue 32 in ! !!!!!! Note that e1 has no IP address interface Ethernet1 no ip address !!!!!! pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! !!!!!! This is the DMZ side interface Ethernet2 !!!!!! The IP address for the router DMZ interface ip address 1.0.0.14 255.255.255.248 !!!!!! ip access-group 100 in no cdp enable hold-queue 32 in ! !!!!!! The ISP's given IP address will be configured via d1 interface Dialer1 ip address 1.0.0.2 255.255.255.252 !!!!!! ip mtu 1492 ip access-group 101 in ip nat outside encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ***** ppp chap password 7 *** ppp pap sent-username **** password 7 *** ppp ipcp route default ! !!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address !!!!!! and local IP addresses within ACL 10 ip nat inside source list 10 interface Dialer1 overload ! ip classless !!!!!! This command is to make the router configurable using web browser !!!!!! such as Internet Explorer or Netscape, which is totally optional. !!!!!! You can turn the feature off by entering "no ip http server" !!!!!! ip http server !!!!!! ! access-list 10 remark Local IP addresses for the dynamic PAT with the Dialer1 interface IP address access-list 10 permit 10.0.0.0 0.255.255.255 access-list 100 remark Permitted Access From DMZ to Inside access-list 100 permit udp 1.0.0.8 0.0.0.7 host 10.0.0.2 eq 53 access-list 100 deny ip 1.0.0.8 0.0.0.7 10.0.0.0 0.0.0.255 access-list 100 permit ip 1.0.0.8 0.0.0.7 any access-list 101 remark Permitted Access From Internet to Both DMZ and Inside access-list 101 permit icmp any host 1.0.0.2 echo-reply access-list 101 permit icmp any 1.0.0.8 0.0.0.7 echo-reply access-list 101 permit icmp any host 1.0.0.2 time-exceeded access-list 101 permit icmp any 1.0.0.8 0.0.0.7 time-exceeded access-list 101 permit icmp any host 1.0.0.2 unreachable access-list 101 permit icmp any 1.0.0.8 0.0.0.7 unreachable access-list 101 permit tcp any host 1.0.0.13 range 20 21 access-list 101 permit udp any eq domain host 1.0.0.2 access-list 101 permit udp any eq domain 1.0.0.8 0.0.0.7 access-list 101 permit tcp any host 1.0.0.2 established access-list 101 permit tcp any 1.0.0.8 0.0.0.7 established dialer-list 1 protocol ip permit no cdp run ! line con 0 exec-timeout 120 0 stopbits 1 line vty 0 4 exec-timeout 0 0 login local length 0 ! scheduler max-task-time 5000 end More Sample Configuration »Cisco Forum FAQ »Configure DMZ on routers »Cisco Forum FAQ »Internet - Router - PIX - LAN feedback form by aryoba** last modified: 2009-05-29 09:14:02
PIX Firewall/ASA configuration to run server (port forwarding) (#13447)
Suggested prerequisite reading »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice For illustration purposes, I use: * Cisco PIX Firewall 501 (2 Ethernet ports) running PIX OS version 6.3(3) * ISP provided static IPs * ISP provided DNS * Static WAN IP addresses, provided by ISP Note: 1) When your ISP doesn't use Static IP Address If your ISP does not use Static IP Address, this configuration can be easily modified to suit other type of ISP connections (i.e. DHCP, PPPoE, PPPoA). Check out other part of this forum's FAQ for such situation. Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco 2) For servers other than FTP Also for illustration purposes, I run FTP server behind the router. This configuration can be modified to also have web server, mail server, or just any public servers that run on specific TCP or UDP port/ports. When you run web server, you can replace the TCP port 20 and 21 with TCP port 80 (the standard web port). As for mail server, replace with TCP port 25 (the standard mail port). For other servers, confirm your software configuration of the TCP/UDP port it uses. 3) For ASA or PIX Firewall running OS version 7.0 or later PIX OS version 6.3(3) commands are pretty much similar to the ASA or PIX OS version 7.0 or later. Should you need more sample configurations from different angle or sample configurations on ASA or PIX running OS version 7.0 or later, keep reading to get the preliminary concept overview then proceed to the next discussion. Background Just a bit of explanation. E0 interface is for outside network (ISP or WAN physical interface). E1 is for inside (LAN interface). The ISP-provided IP Block is 1.1.1.9/24 - 1.1.1.14/24, where 1.1.1.9 is for the Internet traffic, 1.1.1.13 is for the server, and 1.1.1.14 is the PIX WAN interface IP address. The default gateway (the ISP) is 1.1.1.1/24. This configuration example is for running FTP server, which uses the standard TCP port 20 and 21. You need to permit inbound traffic from the Internet to your LAN by issuing the access-list INBOUND permit tcp any host 1.1.1.13 range 20 21 command. The LAN uses 10.10.10.0 network with 255.255.255.0 subnet for both servers and workstations. All servers within the LAN use static IP address. The PIX is configured as DHCP server to give out IP info (IP addresses, subnet mask, DNS) to workstations that are configured as DHCP client. Basically I suggest that you deploy NAT (Network Address Translation) and PAT (Port Address Translation) to setup your own servers behind Cisco PIX Firewall. In this sample configuration, there will be two PAT in place between Public and Private IP addresses. One is dynamic PAT which uses single Public IP address for all local workstations. Another one is static PAT which uses single Public IP address for servers. When using NAT/PAT, keep in mind that the Internet-accessible servers are seen from the Internet as their NAT/PAT-ed IP address (the Public IP address) and not the local IP address (not the Private IP address). The connection from the Internet users to the Public IP address will then be forwarded by the NAT/PAT device, which in this case is the ASA/PIX Firewall, according to the ASA/PIX Firewall's routing table. In other words, the ASA/PIX Firewall will (TCP/UDP) port forward connection from the Public IP address to the actual Private IP address after proper network's routing table is in place. This understanding is very important when you or someone need to test connectivity to the server and/or when you need to create filter (access list or ACL for short) to allow only certain incoming traffic from the Internet and block others. Specifically for firewall devices such as PIX Firewall and ASA, creating such ACL to regulate incoming traffic initiated from the Internet to local LAN is required. On this sample configuration, this ACL is called INBOUND (access-list INBOUND). Side Note: For more info on NAT/PAT concept, check out the following FAQ »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice Instruments used in this illustration are pretty much standard for running your own servers. Please note that IP addresses, username, and password are changed. However, you could always modify the configuration to suit your situation. This sample configuration assumes that you have a block of IP addresses from ISP. There is a dedicated Public IP address for the PIX WAN interface (the Outside interface) and another dedicated Public IP address for the server PAT IP address. In this sample configuration, the network uses 1.1.1.13 IP address as the server Public IP address where the server inside Private IP address is 10.10.10.2. Any other machines use 1.1.1.9 Public IP address to go out to the Internet. Note that the static PAT is indicated by the static command where the dynamic PAT is indicated by the pair of global and nat commands. You can change the IP address either on the static, global, or nat commands to suit your need or situation. If you only have single Public IP address for both PIX/ASA Outside interface and server PAT IP address instead of a block of IP addresses, then you use the following commands instead. static (inside,outside) tcp interface 20 10.10.10.2 20 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 21 10.10.10.2 21 netmask 255.255.255.255 0 0 access-list INBOUND permit tcp any any range 20 21 global (outside) 1 interface With situation of dynamic IP address, at some point you still need to know the exact Public IP address you receive from your ISP for server connection testing and production time. To find out, you can issue show ip address command on the PIX. You will then see the associated outside interface Public IP address. Note that the static commands above show the static PAT between outside (WAN) interface Public IP address (the one that shows on show ip address command) and Private IP address (the 10.10.10.2). Between Static and Dynamic IP Address Assignment for LAN Machines Typically, servers are having static IP addresses where regular workstations are having dynamic IP addresses. As mentioned, all LAN machines (including servers and workstations) are within 10.10.10.0/24 subnet. Let's say you dedicate 10.10.10.1 for the PIX, 10.10.10.2 - 10.10.10.14 for servers, and the rest (10.10.10.15 - 10.10.10.254) for workstations. This illustration assumes all workstations are receiving dynamic IP address (as DHCP client) from the PIX which is acting as the LAN DHCP server; as indicated by the dhcpd address 10.10.10.15-10.10.10.254 inside command. Since the PIX and servers are having static IP addresses, you exclude 10.10.10.1 - 10.10.10.14 from DHCP pool. This is why the 1st DHCP IP address within the pool is 10.10.10.15 and the last one is 10.10.10.254 Tips * You can use any computer, running any operating system with any generic FTP or other server software. There is no exclusiveness * Make sure that the ports you plan to use are not used by other program. * Also make sure that your ISP does not block the port you plan to use * You can use generic port scanner software to find out if the port you plan to use is available * Setup the FTP software to have the FTP server to use port 21 (standard port) * FYI, port 21 only handle the connection and data is sent over port 20. With both ports PAT'd you will be able to use both PASV & PORT connections to your FTP server * To verify the configuration, access the server from OUTSIDE network (i.e. from the Internet) and NOT from your own LAN. For this illustration, run an Internet browser (Internet Explorer, Netscape) and open »ftp://1.0.0.13:21 The Sample Configuration Finally, here is the "show running-config" output. PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *** encrypted passwd *** encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group icmp-type ICMP-INBOUND icmp-object 0 icmp-object 3 icmp-object 11 access-list INBOUND permit icmp any any object-group ICMP-INBOUND access-list INBOUND permit tcp any host 1.1.1.13 range 20 21 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 1.1.1.14 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 1.1.1.9 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 1.1.1.13 20 10.10.10.2 20 netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.1.1.13 21 10.10.10.2 21 netmask 255.255.255.255 0 0 access-group INBOUND in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.10.10.2 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.10.10.15-10.10.10.254 inside dhcpd dns 68.87.64.196 68.87.66.196 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Note that the static command is where the port forwarding actually takes place between the Public and the Private IP address on specific TCP or UDP port. The ACL INBOUND is only a filter to permit certain incoming traffic initiated from Outside (the Internet). Command Adjustment for Specific Needs The above sample configuration shows how to provide FTP access to public. When you need to provide other access type such as Web or Mail, following is the command adjustment needed. To run Public Web Server, following is the command list static (inside,outside) tcp 1.1.1.13 80 10.10.10.2 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.1.1.13 443 10.10.10.2 443 netmask 255.255.255.255 0 0 object-group service WEB_Services tcp port-object eq 80 port-object eq 443 access-list INBOUND permit tcp any host 1.1.1.13 object-group WEB_Services To run Public Mail Server, following is the command list static (inside,outside) tcp 1.1.1.13 25 10.10.10.2 25 netmask 255.255.255.255 0 0 access-list INBOUND permit tcp any host 1.1.1.13 eq 25 To run both Public Mail and Web Server where each server resides on different LAN machines, following is the command list. static (inside,outside) tcp 1.1.1.13 25 10.10.10.2 25 netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.1.1.13 80 10.10.10.3 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.1.1.13 443 10.10.10.3 443 netmask 255.255.255.255 0 0 object-group service WEB_Services tcp port-object eq 80 port-object eq 443 access-list INBOUND permit tcp any host 1.1.1.13 eq 25 access-list INBOUND permit tcp any host 1.1.1.13 object-group WEB_Services where 10.10.10.2 is the LAN Mail Server and 10.10.10.3 is the LAN Web Server. To run both Public Mail and Web Server where each server resides on different LAN machines and each server has its own Public IP address, following is the command list. static (inside,outside) tcp 1.1.1.12 25 10.10.10.2 25 netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.1.1.13 80 10.10.10.3 80 netmask 255.255.255.255 0 0 access-list INBOUND permit tcp any host 1.1.1.12 eq 25 access-list INBOUND permit tcp any host 1.1.1.13 eq 80 where 10.10.10.2 is the LAN Mail Server and 1.1.1.12 is the WAN (Public) IP address. Similarly, 10.10.10.3 is the LAN Web Mail Server and 1.1.1.13 is the Public IP address. If you like to dedicate specific Public IP address for specific LAN machines, then you can implement Static NAT instead as follows. static (inside,outside) 1.1.1.12 10.10.10.2 netmask 255.255.255.255 0 0 static (inside,outside) 1.1.1.13 10.10.10.3 netmask 255.255.255.255 0 0 access-list INBOUND permit tcp any host 1.1.1.12 eq 25 access-list INBOUND permit tcp any host 1.1.1.13 eq 80 where you dedicate 1.1.1.12 only for 10.10.10.2 machine and dedicate 1.1.1.13 only for 10.10.10.3 machine. Having Servers on DMZ Scenario 1: NAT/PAT for both DMZ and Inside networks This time there is DMZ network of 10.10.10.0/24 where the Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as they are, therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Note that the access-list DMZ only applies when connections are initiated from DMZ machines. Any connections initiated from other network such as Inside and Outside won't be affected by this access-list DMZ. Following is the sample configuration. PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password *** encrypted passwd * encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group icmp-type ICMP-INBOUND icmp-object 0 icmp-object 3 icmp-object 11 object-group network Inside_DNS network-object host 10.0.0.2 object-group network Inside network-object 10.0.0.0 255.255.255.0 object-group network DMZ network-object 10.10.10.0 255.255.255.0 access-list INBOUND permit icmp any any object-group ICMP-INBOUND access-list INBOUND permit tcp any host 1.1.1.13 range 20 21 access-list DMZ permit udp object-group DMZ object-group Inside_DNS eq 53 access-list DMZ deny ip any object-group Inside access-list DMZ permit ip object-group DMZ any access-list nonat permit ip object-group Inside object-group DMZ pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 1.1.1.14 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 10.10.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 1.1.1.9 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) tcp 1.1.1.13 20 10.10.10.2 20 netmask 255.255.255.255 0 0 static (dmz,outside) tcp 1.1.1.13 21 10.10.10.2 21 netmask 255.255.255.255 0 0 access-group INBOUND in interface outside access-group DMZ in interface dmz route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.0.0.4 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.0.0.15-10.0.0.254 inside dhcpd dns 10.0.0.2 10.0.0.2 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Scenario 2: NAT/PAT only for Inside network, no NAT/PAT for DMZ network So far the presented sample configurations use 1.1.1.9/24 - 1.1.1.14/24 as the NAT/PAT IP subnet. In this sample configuration, there is an addition IP subnet of 1.0.0.0/30. Instead of using 1.1.1.9/24 - 1.1.1.14/24, this sample configuration uses 1.1.1.8/29. The 1.0.0.0/30 is used as the NAT/PAT IP subnet for Inside network. DMZ network does not use NAT/PAT at all, instead the DMZ network uses the 1.1.1.8/29 directly. The idea behind this setup is to avoid unnecessary DNS BIND to resolve DMZ server name to both Public IP and Private IP addresses. With DMZ network having the Public IP address of 1.1.1.8/29 directly assigned, DMZ server DNS name resolves to always its associated Public IP address regardless of where the incoming traffic come from, either from the Internet or from the Inside network. More info on this issue can be found in the following FAQ. »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice Now let's describe the network setup. The 1.1.1.8/29 IP subnet is assigned directly to all DMZ machines. A 1.1.1.14 is used as the DMZ network default gateway, which is also the PIX Firewall DMZ interface IP address. The Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as they are, therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL DMZ. There is no NAT/PAT in place for DMZ network to go out to the Internet. There is NAT/PAT in place for Inside network to go out to the Internet. All Inside network machines are PAT-ed to 1.0.0.2 IP address to go out to the Internet, which is the PIX Firewall Outside interface IP address. The DMZ network still hosts FTP server, which is directly assigned 1.1.1.13 IP address. For security, there is ACL INBOUND to permit only necessary incoming traffic from the Internet and block others. Following is the sample configuration. PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password * encrypted passwd * encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group icmp-type ICMP-INBOUND icmp-object 0 icmp-object 3 icmp-object 11 object-group network Inside_DNS network-object host 10.0.0.2 object-group network Inside network-object 10.0.0.0 255.255.255.0 object-group network DMZ network-object 1.1.1.8 255.255.255.248 access-list INBOUND permit icmp any any object-group ICMP-INBOUND access-list INBOUND permit tcp any host 1.1.1.13 range 20 21 access-list DMZ permit udp object-group DMZ object-group Inside_DNS eq 53 access-list DMZ deny ip any object-group Inside access-list DMZ permit ip object-group DMZ any access-list nonat permit ip object-group Inside object-group DMZ pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 1.0.0.2 255.255.255.252 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 1.1.1.14 255.255.255.248 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group INBOUND in interface outside access-group DMZ in interface dmz route outside 0.0.0.0 0.0.0.0 1.0.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.0.0.4 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.0.0.15-10.0.0.254 inside dhcpd dns 10.0.0.2 10.0.0.2 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 More Sample Configurations As mentioned, PIX OS version 6.3(3) commands are pretty much similar to the ASA or PIX OS version 7.0 or later. Should you need more sample configurations from different angle or sample configurations on ASA or PIX running OS version 7.0 or later, you can check out the following links. Run Mail Server on DMZ Network PIX running OS 6.3 image PIX/ASA running OS 7.0 image or newer Run Mail Server on Inside Network PIX running OS 6.3 image PIX/ASA running OS 7.0 image or newer Run Mail Server on Outside Network PIX running OS 6.3 image PIX/ASA running OS 7.0 image or newer PIX Firewall - Router Combo »Cisco Forum FAQ »Internet - PIX - Router - LAN »Cisco Forum FAQ »Internet - Router - PIX - LAN Some Discussions »[Config] cisco 5520 feedback form by aryoba** last modified: 2009-05-29 09:14:33
Separate Internet: Dedicate T1/E1 for server, dedicate DSL/Cable for LAN (#10950)
Suggested Prerequisite Reading »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice Traditional Approach Currently you have T1/E1 circuit for Internet access of both LAN users and servers. Due to bandwidth consumption, you decide to dedicate the T1/E1 circuit only for servers. For LAN users Internet access, you will bring in either DSL or Cable Internet. In addition, you like to have incoming IPSec VPN traffic into the LAN to go over the DSL or Cable Internet and not the T1/E1 circuit. Following is the list of possible scenarios of network design. 1. Deploying one PIX 515 or ASA 5510 with DMZ T1/E1 DSL/Cable Internet \| \| Existing T1/E1 router \| Outside \| DMZ \| Switch -------------------- PIX 515 or ASA 5510 \| \| Servers \| Inside \| LAN 2. Deploying two 1841 routers T1/E1 DSL/Cable Internet \| \| Existing T1/E1 router \| \| \| Outside First 1841 router \| \| DMZ \| Switch ----------------- Second 1841 router \| \| Servers \| Inside \| LAN 3. Deploying one 871 router, one ASA 5505, and one Catalyst 3560 Layer-3 switch T1/E1 DSL/Cable Internet \| \| Existing T1/E1 router \| Outside \| \| 871 router ASA 5505 \| DMZ \| Switch ----------- Catalyst 3560 Layer-3 switch \| \| Servers \| Inside \| LAN General Ideas and Considerations For the illustration sake, let's consider the 1st scenario which employs the ASA 5510 with DMZ feature. * The servers have default gateway pointing to the T1/E1 router * The T1/E1 router has default gateway pointing to the T1/E1 ISP just like current setup * There is a route at T1/E1 router pointing to the ASA DMZ interface to reach the LAN * The ASA default gateway points to the the DSL/Cable Internet ISP * There is a route at the ASA pointing to the T1/E1 router to reach the servers * Incoming IPSec VPN traffic to the LAN go through the DSL/Cable Internet and terminates at ASA. In other words, the ASA acts as both Internet firewall and VPN Concentrator * The servers' IP address can be either Public or Private IP addresses * The LAN IP addresses are Private IP addresses * No NAT in place for communication between the servers and the LAN * There may be NAT in place for communication between the servers and the Internet, depending on network requirements * There is no NAT in place for communication between the LAN and the incoming VPN traffic * There is NAT in place for communication between the LAN and the Internet The network design general ideas of all three above scenarios are pretty much similar. The first scenario is considered the simplest solution. You just have to make sure whoever manage the existing T1/E1 router is able to do any adjustment (i.e. adding route pointing to the ASA DMZ interface to reach LAN) due to the network design change. If for any reason the T1/E1 router management is unable or is unwilling to do any adjustment, then either second or third scenario should be feasible as well. Note that in the first scenario, the ASA 5510 acts as both Internet firewall and VPN Concentrator. In the second scenario, the Second 1841 router acts as Internet firewall, Internet router, and VPN Concentrator. In the third scenario, the ASA 5505 acts as both Internet firewall and VPN Concentrator where the 3560 Layer-3 switch deals with routing between LAN, servers (DMZ), and the Internet. Between Private and Public IP address Assignment for the servers You have a choice of either assigning Public IP address directly to the servers, or assigning Private IP address to the servers. When the servers are assigned Private IP address, then the T1/E1 router does NAT for the servers when the servers need to communicate with the Internet. When the servers are assigned Public IP address directly, then no NAT should occur at the T1/E1 router for the servers when the servers need to communicate with the Internet. There are times when assigning Public IP address directly to the servers are preferable. When there is a plan to have DNS A record for those servers for example, you may want the servers to have Public IP address assigned to them directly. This way you don't have to create DNS BIND for both the NAT-ed Public IP address and the Private IP address. You only need to create the BIND for just the Public IP address to serve both the Internet users and LAN users. When there is no need to have such DNS A record, then assigning Private IP address to the servers might be acceptable. For more info, you can check out the following FAQ »Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practice Sample Configuration Following sample configuration reflects the network design first scenario. Assumptions * The servers are assigned Public IP address of 1.1.1.0/29 directly. * There are two servers in place, one is web (supporting both HTTP and HTTPS/SSL) and another is mail * Web server IP address is 1.1.1.3 and Mail server IP address is 1.1.1.4 * Default gateway of all servers is the 1.1.1.1 (T1/E1 router) * No NAT in place at T1/E1 router for communication between the servers and the Internet * LAN (Inside) is still be able to access the servers via the DMZ connection without problem * Only the LAN can initiate connection to servers or anything within 1.1.1.0/29 * Servers or anything within 1.1.1.0/29 cannot initiate connection to LAN due to security concern * In terms of LAN-DMZ communication, anything within 1.1.1.0/29 (including the servers) can only response to communication initiated from LAN * In terms of DMZ-Internet communication, either the servers or the Internet can initiate communication to the other * The existing T1/E1 router deploys CBAC to create Internet firewall. For more info, check out the following FAQ »Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration »Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router * The ASA uses Microsoft Active Directory Domain Controller to authenticate incoming VPN connection to LAN machines. For more info, check out the following FAQ »Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator Notes * The above assumptions are considered typical network policy, practice, and deployment in a lot of organizations. You can always make adjustments to suit your specific requirements when needed. * The router CBAC configuration can be simply replaced by more advanced Zone-Based Firewall configuration. Check out the following FAQ for more info »Cisco Forum FAQ »Zone-Based Firewall Sample Configuration Scenario 1 Existing T1/E1 router (i.e. 1721, 2620, similar or higher) ip inspect name OUTBOUND cuseeme ip inspect name OUTBOUND ftp ip inspect name OUTBOUND h323 ip inspect name OUTBOUND netshow ip inspect name OUTBOUND rcmd ip inspect name OUTBOUND realaudio ip inspect name OUTBOUND rtsp ip inspect name OUTBOUND sqlnet ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND vdolive ip inspect name OUTBOUND icmp ! interface FastEthernet0/0 description DMZ ip address 1.1.1.1 255.255.255.248 ! interface Serial0/0 description T1/E1 ISP ip address 1.0.0.2 255.255.255.252 ip access-group 121 in ip inspect OUTBOUND out ! ip route 0.0.0.0 0.0.0.0 1.0.0.1 name T1/E1_ISP_Default_Gateway ip route 10.0.0.0 255.0.0.0 1.1.1.2 name LAN1 ip route 172.16.0.0 255.240.0.0 1.1.1.2 name LAN2 ip route 192.168.0.0 255.255.0.0 1.1.1.2 name VPN_Users ! access-list 121 remark ** Permitted inbound packets access-list 121 permit tcp any host 1.1.1.3 eq 80 access-list 121 permit tcp any host 1.1.1.3 eq 443 access-list 121 permit tcp any host 1.1.1.4 eq 25 access-list 121 permit icmp any any echo-reply access-list 121 permit icmp any any time-exceeded access-list 121 permit icmp any any unreachable ! ASA 5510 ASA Version 7.2(3) ! hostname asa domain-name yournetwork.com enable password * encrypted names dns-guard ! interface FastEthernet0/0 description Internet nameif outside security-level 0 ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet0/1 description LAN nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface FastEthernet0/2 description DMZ nameif dmz security-level 50 ip address 1.1.1.2 255.255.255.248 ! passwd * encrypted ftp mode passive object-group network DMZ network-object 1.1.1.0 255.255.255.248 object-group network VPN-Admin network-object 192.168.1.0 255.255.255.0 object-group network VPN-Sales network-object 192.168.2.0 255.255.255.0 object-group network Sales-Network network-object 10.0.0.0 255.255.254.0 access-list 10 remark Split Tunnel for VPN Admin access-list 10 permit ip any object-group VPN-Admin access-list 20 remark Split Tunnel for VPN Sales access-list 20 permit ip object-group Sales-Network object-group VPN-Sales access-list nonat remark No NAT within VPN tunnel access-list nonat permit ip any object-group VPN-Admin access-list nonat permit ip any object-group VPN-Sales access-list nonat remark No NAT between DMZ and Inside access-list nonat permit ip any object-group DMZ pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool admin 192.168.1.1-192.168.1.254 ip local pool sales 192.168.2.1-192.168.2.254 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 2.2.2.3 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 2.2.2.1 1 route inside 10.0.0.0 255.0.0.0 192.168.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server NT_DOMAIN protocol nt aaa-server NT_DOMAIN host 192.168.0.2 nt-auth-domain-controller DomainController1 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps service resetoutside crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 30 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 outside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global group-policy Admin internal group-policy Admin attributes dns-server value 192.168.0.2 wins-server value 192.168.0.3 vpn-idle-timeout 1440 split-tunnel-policy tunnelspecified split-tunnel-network-list value 10 default-domain value yournetwork.com group-policy Sales internal group-policy Sales attributes dns-server value 192.168.0.2 wins-server value 192.168.0.3 vpn-idle-timeout 1440 split-tunnel-policy tunnelspecified split-tunnel-network-list value 20 default-domain value yournetwork.com username Admin1 password * encrypted privilege 15 username Admin1 attributes vpn-group-policy Admin group-lock value Admin username Admin2 password *** encrypted privilege 15 username Admin2 attributes vpn-group-policy Admin group-lock value Admin tunnel-group Admin type ipsec-ra tunnel-group Admin general-attributes address-pool admin authentication-server-group NT_DOMAIN LOCAL default-group-policy Admin tunnel-group Admin ipsec-attributes pre-shared-key * tunnel-group Sales type ipsec-ra tunnel-group Sales general-attributes address-pool sales authentication-server-group NT_DOMAIN default-group-policy Sales tunnel-group Sales ipsec-attributes pre-shared-key * prompt hostname context VRF-lite Approach The situation is similar with this approach. There is still a T1/E1 circuit you need to dedicate only for public server access and there is a separate DSL/Cable/Wireless connection for LAN. Following is the network design. T1/E1 circuit DSL/Cable/Wireless \| \| \| \| Existing T1/E1 and DSL/Cable/Wireless router * * Trunk to Switch * Switch General Ideas and Considerations * Each of the T1/E1 circuit and DSL/Cable/Wireless connection connects to different network or even different ISP * There are two networks that the router manages, which are the Public server network and LAN * The Public server network only uses the T1/E1 circuit to connect to the Internet. The Public server network can never use the DSL/Cable/Wireless connection to access the Internet. * The LAN only uses the DSL/Cable/Wireless connection to browse the Internet. The LAN can never use the T1/E1 circuit to access the Internet. * The LAN users must go through the Internet to access the Public server network. There is no direct connection internally within the router to connect the LAN and the Public server network. * Both of Public server network and LAN uses Private subnet internally * The router acts as NAT/PAT device for Private-Public IP Subnet translation * The router run Zone-Based Firewall for security * There are three public-accessible servers within the Public server network which are FTP, Mail, and Web * Zone-Based Firewall inspects all outbound traffic (from Public server network or from LAN to the Internet) and their returning traffic * Zone-Based Firewall also inspect all inbound traffic (from the Internet to the Public server network) VRF-aware Zone-Based Firewall Sample Configuration 1. Router (i.e. 1841, 2621XM, etc.) version 12.4 ! ip cef ! ip vrf LAN ! ip vrf pub ! class-map type inspect match-any out-cmap match protocol http match protocol https match protocol ftp match protocol smtp match protocol ftp ! class-map type inspect match-all Internet-pub-cmap-ftp match access-group 121 match protocol ftp ! class-map type inspect match-all Internet-pub-cmap-http match access-group 122 match protocol http ! class-map type inspect match-all Internet-pub-cmap-smtp match access-group 123 match protocol smtp ! policy-map type inspect pub-Internet-pmap class type inspect out-cmap inspect ! policy-map type inspect LAN-Internet-pmap class type inspect out-cmap inspect ! policy-map type inspect Internet-pub-pmap class type inspect Internet-pub-cmap-ftp inspect class type inspect Internet-pub-cmap-http inspect class type inspect Internet-pub-cmap-smtp inspect ! policy-map type inspect Internet-self-pmap class class-default drop log ! zone security pub zone security LAN zone security Internet zone-pair security pub-Internet source pub destination Internet service-policy type inspect pub-Internet-pmap zone-pair security LAN-Internet source LAN destination Internet service-policy type inspect LAN-Internet-pmap zone-pair security Internet-pub source Internet destination pub service-policy type inspect Internet-pub-pmap zone-pair security Internet-self source Internet destination self service-policy type inspect Internet-self-pmap ! ! interface FastEthernet0/0 description ISP 1 - Only for LAN Network ip vrf forwarding LAN ip address 1.0.0.2 255.255.255.252 ip nat outside zone-member security Internet ip virtual-reassembly speed auto no cdp enable ! interface FastEthernet0/1 description Trunk to Switch no ip address duplex auto speed auto no cdp enable ! interface FastEthernet0/1.171 description LAN encapsulation dot1Q 171 ip vrf forwarding LAN ip address 10.1.2.1 255.255.255.0 ip nat inside zone-member security LAN ip virtual-reassembly no cdp enable ! interface FastEthernet0/1.172 description Public Server Network encapsulation dot1Q 172 ip vrf forwarding pub ip address 10.1.2.1 255.255.255.0 ip nat inside zone-member security pub ip virtual-reassembly no cdp enable ! interface Serial0/0 description ISP 2 - Only for Public Server Network ip vrf forwarding pub ip address 1.1.0.2 255.255.255.252 ip nat outside zone-member security Internet ip virtual-reassembly speed auto no cdp enable ! ip route vrf LAN 0.0.0.0 0.0.0.0 1.0.0.1 ip route vrf pub 0.0.0.0 0.0.0.0 1.1.0.1 ! ip nat pool Global-LAN 1.0.1.1 1.0.1.1 netmask 255.255.255.0 ip nat pool Global-Public 1.1.1.1 1.1.1.1 netmask 255.255.255.0 ip nat inside source list 10 pool Global-LAN vrf LAN overload ip nat inside source list 20 pool Global-Public vrf pub overload ! ! The following static NAT translations allow access from the internet to ! servers in each VRF. Be sure the static translations correlate to �inspect� ! statements in in the Zone Firewall configuration, the internet-facing list. ! Note that the ACLs used in the firewall correspond to the end-host address, not ! the NAT Outside address ! ip nat inside source static tcp 10.1.2.2 21 1.1.2.2 21 vrf pub extendable ip nat inside source static tcp 10.1.2.3 25 1.1.2.3 25 vrf pub extendable ip nat inside source static tcp 10.1.2.4 80 1.1.2.4 80 vrf pub extendable ! access-list 10 remark NAT for LAN access-list 10 remark 10.1.2.0 0.0.0.255 access-list 20 remark NAT for Public Server network access-list 20 remark 10.1.2.0 0.0.0.255 ! access-list 121 remark From Internet to Public FTP server access-list 121 permit ip any host 10.1.2.2 access-list 122 remark From Internet to Public Mail server access-list 122 permit ip any host 10.1.2.3 access-list 123 remark From Internet to Public Web server access-list 123 permit ip any host 10.1.2.4 ! ! Disable CDP ! no cdp run ! end 2. Switch (i.e. Catalyst 2950, 2960, etc.) vlan 1 name VLAN_Database vlan 171 name LAN vlan 172 name pub ! interface FastEthernet0/1 description Trunk to Router switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/2 description LAN switchport mode access switchport access vlan 171 ! interface FastEthernet0/3 description LAN switchport mode access switchport access vlan 171 ! interface FastEthernet0/4 description LAN switchport mode access switchport access vlan 171 ! interface FastEthernet0/5 description LAN switchport mode access switchport access vlan 171 ! interface FastEthernet0/6 description LAN switchport mode access switchport access vlan 171 ! interface FastEthernet0/7 description Public server network switchport mode access switchport access vlan 172 ! interface FastEthernet0/8 description Public server network switchport mode access switchport access vlan 172 ! interface FastEthernet0/9 description Public server network switchport mode access switchport access vlan 172 ! interface FastEthernet0/10 description Public server network switchport mode access switchport access vlan 172 ! interface FastEthernet0/11 description Public server network switchport mode access switchport access vlan 172 ! interface FastEthernet0/12 description Public server network switchport mode access switchport access vlan 172 ! interface Vlan1 description VLAN Database no ip address shutdown ! feedback form by aryoba last modified: 2009-02-26 12:12:30


Sunday, 05-Jul 05:21:46	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9.5 years online! © 1999-2009 dslreports.com. republican-creole