My setup is
Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.
The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.
On server B (local ip 192.168.0.3), I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip 192.168.0.4), I NAT the x.x.x.232 address for the same ports.
Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?
My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.
Here is the NAT section of the show run:
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.2 80 interface FastEthernet0 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.3 25 x.x.x.231 25 extendable
ip nat inside source static tcp 192.168.0.3 80 x.x.x.231 80 extendable
ip nat inside source static tcp 192.168.0.3 443 x.x.x.231 443 extendable
ip nat inside source static tcp 192.168.0.4 25 x.x.x.232 25 extendable
ip nat inside source static tcp 192.168.0.4 80 x.x.x.232 80 extendable
ip nat inside source static tcp 192.168.0.4 443 x.x.x.232 443 extendable
Would appreciate any and all comments on the way it is currently configured ass well as:
-How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.