11-06-2014 05:13 PM
Now i am trying to find an solution for this network structure
Aim: To host an webserver
Products used : HP Blade Server,Brocade Fastiron 648 Switch, Cisco ASA Firewall 5500, Cisco Router 1900
Connectivity : Static ip with Leased line from one ISP (8 IP's with 6 usable)
Setup: Server -->Switch-->Firewall-->Router-->ISP-----------ISP-
Server : 192.168.20.10/24
Switch : 192.168.20.2/24
Firewall : 192.168.10.2/24 (router end) and 192.168.20.1/24(switch end)
Router : 192.168.10.1/24 (firewall end) and 188.8.131.52(serial) (WAN IP)
Default gateway for Router : 184.108.40.206 (Wan ip gateway)
Usable public LAN ip : 220.127.116.11-18.104.22.168
Like to host the server using one of the public lan ip natted with the server
11-09-2014 08:15 AM
i m gonna try this
Which device should face the ISP?
You have a router and firewall in separate device. You review the possibility of setting the network as follows.
1st Setup: ISP -- Router -- Firewall -- LAN
2nd Setup: ISP -- Firewall -- Router -- LAN
When there is an external modem to connect to the ISP, the modem is probably giving an Ethernet hand off. With this in mind, then it is possible to have the 2nd setup.
Several situations that might prevent you to have the 2nd setup are following
* There is no external modem, and you have to use the integrated modem within the router
* Your ISP requires PPPoA which your firewall is unable to support
* Your ISP hands off non-Ethernet cable (i.e. T1/E1, DWDM)
When your situation falls within one of the above, then you have to have the 1st setup.
Scenario 1: You Have The 1st Setup And Firewall Needs To Receive Public IP Address
There are several possibilities to setup
* Set a static NAT/PAT between the router and the firewall
* Set the router to be a bridge/modem
Setting up a router as a bridge/modem might "downgrade" your router functionality. Whenever possible, you then should consider setting static NAT/PAT between the router and firewall.
The 1st Setup: Router in front of Firewall
1. Router with integrated T1 modem terminates T1 circuit
This is using the 1st setup where the router is terminating T1 circuit with the ISP. In this case, the router is Cisco with integrated T1 modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.
PIX Firewall Configuration
* Public IP subnet is configured only on the router WAN side. The router LAN and PIX Firewall intefaces are using Private IP subnets
* There is static NAT on the router in place between available Public IP address and the PIX Firewall outside interface to set the Firewall of "receiving" Public IP address
* The LAN machines uses the router WAN interface to go out to the Internet
2. Router as PPPoA client to the ISP
This is using the 1st setup where the router is doing PPPoA as the ISP requirement to connect to the Internet. In this case, the router is Cisco with integrated DSL modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.
PIX Firewall Configuration
Step 1: Basic Router Configuration
* Do not setup router LAN or PIX Firewall outside interfaces yet; just the router Dialer interface
* If you can setup the Dialer interface with static IP address without using the "ip negotiated", you can skip this Step 1. If you have to use the "ip negotiated", keep reading
* Set the Dialer interface with the proper public IP address and the gateway using "ip negotiated" and "ip route" pointing to Dialer interface. Use the ipcp command to set the default gateway when possible
* Do "show ip route" to find out the Dialer public IP address and gateway (the ISP equipment IP address)
Step 2: Configure LAN interfaces
* Move the Dialer public IP address to the Ethernet interface and set the Dialer as "ip unnumbered Ethernet"
* Configure the PIX Firewall outside interface using the next available public IP address
* Set the default gateway pointing to the ISP equipment IP address