Web server and Global IP

Unanswered Question
Feb 14th, 2009

please I want to put a WEB server online so it can be accessed on the internet. I have assigned a global IP address to the server, my question is what other config do I need to do. Do I need NAT on the router or PC.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 02/14/2009 - 01:48

Hello Just,

if your router has a third interface that you can use as a DMZ with public ip addresses you don't need NAT and you need a L2 path between the server and this interface but they need to be in the same public subnet.

If you have only a public interface and a private interface and you are using NAT you should:

configure the server with a private ip address

create a static NAT rule mapping that associates the private ip address to the specific public address that has to be used to access it from internet

ip nat source inside static private-address public-address

the public-address has to be excluded from the NAT pool (if you use a NAT pool)

Hope to help

Giuseppe

Just Kennie Sat, 02/14/2009 - 02:45

Thanks , I understand a bit. What I dont understand is the part of DMZ.

What will I connect to the DMZ intercafe?the server ?xplain the layet 2 path and how will they be in same subnet?

Also., can I use two card interface on the server. One for WAN ,one for LAN,will I still nedd NAT?

Giuseppe Larosa Sat, 02/14/2009 - 04:08

Hello Just,

in security the third leg/interface is called a DMZ (De Militirized Zone).

So if your router has three logical interfaces and you have a block of public ip addresses you can have the server with a public ip address on this third interface.

L2 path just means you have LAN connectivity between server NIC and router interface (this is always needed sorry if I used unusual words for something so common)

Note: if you use two NICs on the server one connecting to internal network and one to the public side the server can become a path to access your inside.

I would use a DMZ approach:

one wan interface

one internal lan interface

and the third leg for the server

the network device can then controls what traffic can access the internal from the server subnet

With the DMZ you can avoid to use NAT.

if you use two NICs on the server the security of your network depends from the server too and not only from the router/Firewall.

You don't need NAT also if you use two NICs on the server but I don't recommend this for the reasons I've descrived above.

Hope to help

Giuseppe

Mohamed Sobair Sat, 02/14/2009 - 02:23

Hi,

NAT is a security feature to look at, Another way to achieve security should be Cisco IOS Firwall feature (CBAC).

1- Inspect whatever Protocol ur Public Server is running.

2- Apply an access-list

3- Apply the Inspection rule 2 the interface.

Inspection Can be applied (Inbound & Outbound) direction of the outgoing interface and Inbound direction of the Incoming Interface.

HTH

Mohamed

Just Kennie Sat, 02/14/2009 - 03:12

I understand, I just need my questions asnwer, so I can understand better. Can you please answer the? Thanks.

foxbatreco Sat, 02/14/2009 - 22:42

Kennie,

if ur webserver within ur network is directly assigned a global ip on its nic interface, you can directly access it from outside using the desired port setin windows IIS or the OS.

If you have assigned a local ip to the webserver inside ur network..u will need to do NAT on the router so that any request coming from outside for this webserver via global ip knows that it has to actually go to the local ip once request hits the router.

something like this:

ip nat inside source static tcp 192.168.100.2 80 65.43.56.78 80 extendable.

first one will have ur local ip and second one the global ip u want to get it accessed with followed by the port u have the service on.

Pls rate if this helps!

Just Kennie Wed, 02/18/2009 - 01:20

thanks for all the time. If I am right, the two cases you gave are for single NIC card.

if I have two network card, I put LAN ip on one and WAN ip on the other.....do i still need to do NAT? and whats else.

Thanks.

Actions

This Discussion