DMZ on a VLAN

Unanswered Question
Dec 3rd, 2008


Hi All,


I have configured a switchport vlan on a cisco router for my DMZ (to host my Exchange 2007 Edge Transport server)below:

!

interface Vlan5

description DMZ VLAN

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

Questions:

1)Is the config correct?

2) How can I make it very secure?

3) Do I need to configure any of my public (isp) ip address on this interface?


Thank you,



Pls. find below:

Thanks,


law

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
John Blakley Wed, 12/03/2008 - 08:25

1)Is the config correct?


Depends on the rest of the config, but if you can ping the vlan interface or a device in the vlan from the inside, it's working.


You have an "ip nat inside" statement on the vlan, but you didn't show your nat source statements, so I can only assume they're correct. You can try to get on the internet from your exchange server to see if nat's working correctly.


2) How can I make it very secure?

You would need an acl on your public interface to only allow traffic that you want in, and you would probably want an acl on the vlan only allowing the ports you need out from the exchange server.


3) Do I need to configure any of my public (isp) ip address on this interface?


Not if you're going to be using nat. If you have a public address, you can use static nat for the private address that's assigned to your exchange server.



HTH,


John


*please rate if helpful* It helps the forums.

sr2470182 Wed, 12/03/2008 - 08:51

Thanks John,


My NAT source is defined thus:

ip nat inside source list 100 interface Dialer1 overload

!

I can surely get on the internet from the vlan.Hence the NAT is working.


Can you link me to an example ACL configured for this purpose?


Thanks




John Blakley Wed, 12/03/2008 - 08:59

The acl on the outside interface would be something like:


access-list ext PUBLIC

permit tcp any host 22.22.22.22 eq 25


access-list ext VLAN5-Exchange

permit tcp host 192.168.1.5 any eq 25


ip nat inside source static 192.168.1.5 25 22.22.22.22 25


OR


ip nat inside source static 192.168.1.5 22.22.22.22


This would tell your router that anything coming in on 22.22.22.22 (the public ip assigned to your dialer), will get translated to 192.168.1.5. If you go with the second static, everything that's incoming on your 22.22.22.22 ip will go to the 192.168.1.5 address, and you would control the traffic that's allowed in by your PUBLIC acl. If you go with the first, it will only translate that one port (25) to that internal address.


HTH,


John

sr2470182 Wed, 12/03/2008 - 14:21

Thanks John,


Just to further inform you of my condition below:


1) My dialer is dynamically (negotiated)configured

2) I have range (4) of IP Address from my ISP


Thanks once again

Actions

This Discussion