Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 2
Registered: ‎11-06-2014

To host an webserver

Dear All,

 

Now i am trying to find an solution for this network structure

Aim: To host an webserver

Products used : HP Blade Server,Brocade Fastiron 648 Switch, Cisco ASA Firewall 5500, Cisco Router 1900

Connectivity : Static ip with Leased line from one ISP (8 IP's with 6 usable)

Setup: Server -->Switch-->Firewall-->Router-->ISP-----------ISP-->Router-->User

Server : 192.168.20.10/24

Switch : 192.168.20.2/24

Firewall : 192.168.10.2/24 (router end) and 192.168.20.1/24(switch end)

Router : 192.168.10.1/24 (firewall end) and 11.11.11.12(serial) (WAN IP)

Default gateway for Router : 11.11.11.11 (Wan ip gateway)

Usable public LAN ip : 20.12.1.1-20.12.1.8

 

 

Like to host the server using one of the public lan ip natted with the server

New Contributor
Posts: 2
Registered: ‎11-06-2014

Re: To host an webserver

mm

 

 

i m gonna try this

 

http://www.dslreports.com/faq/15512

 

==================================

 

 

Which device should face the ISP?

You have a router and firewall in separate device. You review the possibility of setting the network as follows.

1st Setup: ISP -- Router -- Firewall -- LAN
2nd Setup: ISP -- Firewall -- Router -- LAN

When there is an external modem to connect to the ISP, the modem is probably giving an Ethernet hand off. With this in mind, then it is possible to have the 2nd setup.

Several situations that might prevent you to have the 2nd setup are following

* There is no external modem, and you have to use the integrated modem within the router
* Your ISP requires PPPoA which your firewall is unable to support
* Your ISP hands off non-Ethernet cable (i.e. T1/E1, DWDM)

When your situation falls within one of the above, then you have to have the 1st setup.

Scenario 1: You Have The 1st Setup And Firewall Needs To Receive Public IP Address

There are several possibilities to setup

* Set a static NAT/PAT between the router and the firewall
* Set the router to be a bridge/modem

Setting up a router as a bridge/modem might "downgrade" your router functionality. Whenever possible, you then should consider setting static NAT/PAT between the router and firewall.

Case Studies

The 1st Setup: Router in front of Firewall

1. Router with integrated T1 modem terminates T1 circuit

This is using the 1st setup where the router is terminating T1 circuit with the ISP. In this case, the router is Cisco with integrated T1 modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.

Router Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
!
clock timezone est -5
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
!
no ip bootp server
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.100.1 255.255.255.252
 ip nat inside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial0/0
 description WAN Interface
 ip address 198.131.65.2 255.255.255.248
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip load-sharing per-packet
 no ip mroute-cache
 fair-queue
 service-module t1 timeslots 1-24
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 198.131.65.1
ip route 192.168.101.0 255.255.255.0 192.168.100.2
!
ip nat inside source list 10 interface Serial0/0 overload
ip nat inside source static 192.168.100.2 198.131.65.3
!
!
no cdp run
!
line con 0
line aux 0
line vty 0
 login
line vty 0 4
 login
!
!
end


PIX Firewall Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 192.168.100.2 255.255.255.252
ip address inside 192.168.101.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Description

* Public IP subnet is configured only on the router WAN side. The router LAN and PIX Firewall intefaces are using Private IP subnets
* There is static NAT on the router in place between available Public IP address and the PIX Firewall outside interface to set the Firewall of "receiving" Public IP address
* The LAN machines uses the router WAN interface to go out to the Internet

2. Router as PPPoA client to the ISP

This is using the 1st setup where the router is doing PPPoA as the ISP requirement to connect to the Internet. In this case, the router is Cisco with integrated DSL modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.

Router Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
version 12.1
!
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
ip subnet-zero
!
interface Ethernet0
 ip address 198.131.65.2 255.255.255.248
 no ip directed-broadcast
 no ip mroute-cache
!
interface ATM0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 1/150
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 hold-queue 224 in
!
interface Dialer0
 ip address unnumbered Ethernet0
 no ip directed-broadcast
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname username
  
 ppp chap password password
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
!
end


PIX Firewall Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 198.131.65.3 PUBLIC_IP_01
name 192.168.100.1 WEB_SERVER_01
name 192.168.100.2 FTP_SERVER_01
name 192.168.100.3 MAIL_SERVER_01
name 192.168.100.4 TERMINAL_SERVER_01
name 192.168.100.5 SYSLOG_SERVER_01
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any host PUBLIC_IP_01 object-group ICMP-INBOUND
access-list INBOUND permit tcp any host PUBLIC_IP_01 object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging trap informational
logging host inside SYSLOG_SERVER_01
mtu outside 1500
mtu inside 1500
ip address outside PUBLIC_IP_01 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location TERMINAL_SERVER_01 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www WEB_SERVER_01 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data FTP_SERVER_01 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp FTP_SERVER_01 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MAIL_SERVER_01 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 198.131.65.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http TERMINAL_SERVER_01 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet TERMINAL_SERVER_01 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Description

Step 1: Basic Router Configuration

* Do not setup router LAN or PIX Firewall outside interfaces yet; just the router Dialer interface
* If you can setup the Dialer interface with static IP address without using the "ip negotiated", you can skip this Step 1. If you have to use the "ip negotiated", keep reading
* Set the Dialer interface with the proper public IP address and the gateway using "ip negotiated" and "ip route" pointing to Dialer interface. Use the ipcp command to set the default gateway when possible
* Do "show ip route" to find out the Dialer public IP address and gateway (the ISP equipment IP address)

Step 2: Configure LAN interfaces

* Move the Dialer public IP address to the Ethernet interface and set the Dialer as "ip unnumbered Ethernet"
* Configure the PIX Firewall outside interface using the next available public IP address
* Set the default gateway pointing to the ISP equipment IP address

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook