Finally taking the plunge, but wanna play it safe!

B

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
Someone's giving me a Cisco 2611 router since I mentioned I *might* be going for my CCNA, and I was told I can use it for my new apartment once I move in (July 23, woohoo!)

I'm not keen on Cisco products. I'm glad I've got a 2611 cause we have a bunch at work and my IT Director appreciates that I'm willing to try to learn it since he's the only one who knows anything about Cisco products and using the IOS.

My IT Director's getting me the SBC Yahoo! DSL Pro-S package which gives me some wstatic IPs. He said it'd be fun to use the Cisco router to route between my home network and the internet -- which he said he'd help set up and show me how he did it. No probs there.

What he never told me, however, is if I'd need anything in terms of a firewall. I have a buncha computers, but I don't want to use NAT on this router since I have 5 static IPs. I've got a few servers that I want public on the internet (Mostly project servers, like DNS Nameserver, web/ftp, etc.). What'd be a good firewall solution for these kinds of projects? I plan on sticking an IPCop box between my personal stuff and the Cisco (and use NAT on the IPCop box). Here, let me do a Visio diagram. :)

net.jpg


I've only listed my NS by the servers. I plan on having more, but I wasn't sure how my IPs would be allocated either (Public IPs are noted as x.x.x.# where # is a relative number).

Any suggestions here/changes in network infrastructure required? I understand there's no practicality behind this -- it's mostly just for the learning experience. Thanks in advance!
 
you have 2 firewalls in that pic. the ipcop box and the pile of bricks. i'm not sure why you nee both. also, in terms of running NAT and having multiple IPs- they are not mutually exlsive. i am not familiar with cisco stuff but with openbsd and linux you would simply alias all your IP addresses to the WAN interface on the router. do NAT on one of the IPs. use one for incoming HTTP and SMTP. use another for VPN.
 
Right, I have two firewalls -- but that is only because I didn't think IPCop would work without NAT since it was designed to be a NAT router. I certainly wouldn't mind having only one firewall. From my understanding of IPCop, one cannot have computers with public IPs behind the IPCop box. I know you can assign multiple IPs to the red interface on the IPCop machine, though. But would this solve my issue?

Lemee ask you this then -- with the Cisco router, how would you set this up? Keep in mind I have 5 static IPs to work with, and I'd like my servers to have public IPs. I don't care if my workstations have public IPs or not, prefer not (I have 6).
 
Also, I wouldn't mind ditching the Smoothwall for, say, a Netscreen 5GT, Cisco PIX 501 or something, if that'll do what I want.

EDIT: I was just screwing around eBay at firewall appliances and found this

It's a bit excessive, but note the part that mentions "If your ISP allocates you multiple IP addresses, these are also supported and you can “map” IP addresses to individual PCs if desired."

The price is expensive, but this is exactly the feature I want. Is there a lower-end model that'd do this if I can't do it easily with my IPCop box? That's my question now.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
but i'm saying- there are FREE things that will do what you want. why the hell would you buy a netscreeen or pix for your house??

on the router you need to route. your ISP has given you 5 IP addresses. they didn't manufacture those out of thin air. they took a big network and chopped it into tiny ones- tiny little 5-node networks. you now own one of them. it has a network address, a broadcast address, subnet mask, and gateway associated with it. for example:
your IPs are: 192.168.1.2 - 192.168.1.6
your netmask is 255.255.255.248
thus, you have a network address of: 192.168.1.0
you have a gateway of 192.168.1.1
and you have a broadcast address of 192.168.1.7

those addys are all subnetted off by 255.255.255.248. the addresses in the middle are your usable IPs.

you need to set your router up to route between 192.168.1.0 and the wide world. that is it. hop on the router and create a routing table for 2 networks- 192.168.1.0 and 0.0.0.0.

now, you need a firewall. the firewall will sit right behind the router. you will assign the external NIC on the firewall an address- let's say 192.168.1.2. now you just alias the rest of your addresses to that interface (192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6).

now, what do you want to make public? let's say you want to run the following public services: email, webmail, terminal server, and your own web site. your internal IP addresses are all 10.0.0.x. set up the following rules:
incoming port 80 on 192.168.1.2 --> 10.0.0.52 port 80 (this is for your personal site)
incoming port 80 on 192.168.1.3 --> 10.0.0.62 port 80 (this is for your OWA site)
incoming port 80 on 192.168.1.4 --> 10.0.0.72 port 80 (this is for your terminal server site)
incoming port 25 on 192.168.1.2 --> 10.0.0.20 port 25 (this is for your email traffic)
incoming port 3389 on 192.168.1.2 --> 10.0.0.17 port 80 (this is so RDP to terminal server will work)

you should be able to do this with any of the following free solutions:
clarkconnect
smoothwall
ipcop
openbsd w/ pf
any linux box with iptables (yuck)

you just need to make sure your DNS records are going to send people to the correct external addresses.

HTH,
big boi
 
You must log in or register to reply here.
Back
Top