Advice Required for Setup

Mansoor Hafeez · ‎10-15-2007

Greetings

As per my network setup, the scenario will be that the server on the untrust side will send data to the server on the Trusted site.

I have received in total 3 IP Addresses from the UNTRUST NETWORK PROVIDER those are as follows:

1. 10.150.39.253/24

2. 10.150.39.243

3. 10.150.39.244

The first IP Address i.e. 10.150.39.253/24 is used for the WAN connection with the untrust network.

The rest of the two IPs have to be used for the Trusted Server Communication with Untrust Server.

In actual I have two firewalls used as an active/standby configuration.

Now I have the following issues:

If I used the IP address 10.150.39.243 on Routers interface Fa0/0 and IP Address 10.150.39.244 on eth2 interface of Firewall than how can i perform the Nating for the Trusted Server IP Address?

Also what IP Address than will be used for the Standby Firewall?

Thanks and Regards

Mansoor Hafeez

JORGE RODRIGUEZ · ‎10-15-2007

Hi Mansoor, my question, why does un-trusted network have to dictate what IP address you should use in your FW eth2, in most cases un-trusted in your scenario would be consider a DMZ point in your firewall one that you have full admin control, you should configure eth2 with a private subnet of your choice with a /24 and give the un-trusted entity an IP address from the /24 subnet for their Fe0/0 router interface.

In any case, in your scenario, for example un-trusted network wants to connect to trusted server 192.168.100.18 for RDP connection in your inside LAN, you give trusted server 192.168.100.18 a static nat address from the 10.150.39.x private ip block for inbound access, say you have allocated 10.150.39.40 for the NAT address translation of your inside trusted server.

static (eth3,eth2) 10.150.30.40 192.168.100.18 netmask 255.255.255.255 0 0

access-list eth2_access_in permit tcp any host 10.150.30.40 eq 3380

access-group eth2_access_in in interface eth2

For failover IP you need to allocate an IP address from the same 10.150.30.x IP subnet and use it for failover Ip address , go over this document for an overview of active/standby interface configurations.. if you have any questions please ask.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Rgds

Jorge

Jorge Rodriguez

Mansoor Hafeez · ‎10-17-2007

I have few limitations with me.

1. I cannot place the trusted server in DMZ zone.

2. I have to utilized the two IPs given by the untrust network personal.

3. Now how to utilize the two IPs is real issue as if one will be given to router interface and other will be given to firewall than I will not get the IP for Standby firewall as well as the IP for NAT.

I hope that you now understand my issue...

JORGE RODRIGUEZ · ‎10-17-2007

you can still NAT inbound traffic comming from eth2 to 192.168.100.18 server

e.g using RDP

access-list acl_eth2 permit tcp any host 192.168.100.18 eq 3389

access-group acl_eth2 in interface eth2

nat (eth3) 1 192.168.100.0 255.255.255.0

global (eth2) 1 interface

static (eth3,eth2) interface 192.168.100.18 tcp 3389

Jorge Rodriguez

Mansoor Hafeez · ‎10-21-2007

Sorry to bother you again. If you look again at my network setup What IP Address should be given to Router Interface fa0/0? What now i understand from your advice is that i will give the two IPs to eth2 interface.

Please correct me if i am wrong.

Mansoor