Live IP Isolation

Unanswered Question
Nov 30th, 2009

Dear All,

I am facing a problem i.e, my all Network Computers traffic, Microsoft Exchange traffic, VPN traffic goes through one link,

I have a pool of live IP addresses with a mask of /29

some of my computers have virus and they broadcast to port 25 (smtp) which causes my live ip block on diffrent spam sites, resulting my Exchange emails bouncing with errors,,,,, then I need to clear my ip address from those sites and to change the live ip from my pool.....

I want to isolate my Live IP with the following config

1 - Microsoft Exchange Traffic should use one Live IP address

2 - VPN traffic shoud use one Live IP address

3 - Internal Network computers should use remaining Live IP pool for internet surfing.....

Currently my configuration is :

Int fa0/0

Ip address 192.168.74.1 255.255.255.0 (for example)

Ip nat inside

Int fa0/1

Ip address 55.55.55.55 255.255.255.248 (for example)

Ip nat outside

ip local pool ippool 192.168.55.100 192.168.55.200

Ip nat inside source list deny_vpn_go_nat interface fa0/1 overload

ip access-list extended deny_vpn_go_nat

deny   ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any

In the above scenario, I am using my one live ip from the pool,, others are not in use,,, I want to use these with this config....

ip access-list extended deny_vpn_go_nat
deny   ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

ip nat pool localint 58.27.232.19 58.27.232.21 netmask 255.255.255.248

ip access-list extended locint
deny ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any


ip nat inside source list locint pool localint overload

Please advise,, whether this configuration will work or not,, as my Router is in production network, and I can take only limited time for its down time for configuration change,,,.,,

Any other idea for Isolation of my Live IP addresses will be very helpful for me,,,

Thanks in Advance

Junaid Abbas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 12/01/2009 - 06:48

1 - Microsoft Exchange Traffic should use one Live IP address

2 - VPN traffic shoud use one Live IP address

3 - Internal Network computers should use remaining Live IP pool for internet surfing.....

1. I would restrict the users from being able to SMTP out to the internet directly.


An ACL on the inside interface would look something like this-

access-list 100 permit tcp host [Exchange IP] any eq 25

access-list 100 deny tcp any any eq 25

This will allow Exchange but block everything else.

2. This has to be the interface IP.

3. With the configuration of 1, you don't need to do this.

Junaid Abbas Tue, 12/01/2009 - 20:32

Hi Collin,

Thanks for your support,

If i use my existing config shown in my first post with your advised configuration for blocking smtp traffic except MS-Exchange, well, it will be helpful as well my live ip blockage is concern,

I have only 2 WAN Ports on my Router, Cisco 2811, I am using fa0/0 for inside and fa0/1 for outside,,

please advise, how could i dedicate my one live ip for VPN, one for exchange, and the other pool for net surfing,,,,

As I am already trying to make a pool and to overload it, will it be helpful? or is this the correct way?,,

Please Advise

Thanks

Junaid

Collin Clark Wed, 12/02/2009 - 07:27

For a static nat to your exchange server-

ip nat inside source static 192.168.74.99 55.55.55.3

The VPN will always use the IP of your outside interface.

A nat pool for users-

ip nat pool TEST 55.55.55.2 55.55.55.2 netmask 255.255.255.0
ip nat inside source list 7 pool TEST
access-list 7 permit 192.168.74.0 0.0.0.255

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Make sure you lab it up before implementing as I'm not 100% sure if the TEST pool will overload.

Actions

This Discussion