Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
3
Replies

Live IP Isolation

junshah22
Level 1
Level 1

‎11-30-2009 10:14 PM - edited ‎03-04-2019 06:50 AM

Dear All,

I am facing a problem i.e, my all Network Computers traffic, Microsoft Exchange traffic, VPN traffic goes through one link,

I have a pool of live IP addresses with a mask of /29

some of my computers have virus and they broadcast to port 25 (smtp) which causes my live ip block on diffrent spam sites, resulting my Exchange emails bouncing with errors,,,,, then I need to clear my ip address from those sites and to change the live ip from my pool.....

I want to isolate my Live IP with the following config

1 - Microsoft Exchange Traffic should use one Live IP address

2 - VPN traffic shoud use one Live IP address

3 - Internal Network computers should use remaining Live IP pool for internet surfing.....

Currently my configuration is :

Int fa0/0

Ip address 192.168.74.1 255.255.255.0 (for example)

Ip nat inside

Int fa0/1

Ip address 55.55.55.55 255.255.255.248 (for example)

Ip nat outside

ip local pool ippool 192.168.55.100 192.168.55.200

Ip nat inside source list deny_vpn_go_nat interface fa0/1 overload

ip access-list extended deny_vpn_go_nat

deny   ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any

In the above scenario, I am using my one live ip from the pool,, others are not in use,,, I want to use these with this config....

ip access-list extended deny_vpn_go_nat
deny   ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
deny   ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

ip nat pool localint 58.27.232.19 58.27.232.21 netmask 255.255.255.248

ip access-list extended locint
deny ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any


ip nat inside source list locint pool localint overload

Please advise,, whether this configuration will work or not,, as my Router is in production network, and I can take only limited time for its down time for configuration change,,,.,,

Any other idea for Isolation of my Live IP addresses will be very helpful for me,,,

Thanks in Advance

Junaid Abbas

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎12-01-2009 06:48 AM

1 - Microsoft Exchange Traffic should use one Live IP address

2 - VPN traffic shoud use one Live IP address

3 - Internal Network computers should use remaining Live IP pool for internet surfing.....

1. I would restrict the users from being able to SMTP out to the internet directly.


An ACL on the inside interface would look something like this-

access-list 100 permit tcp host [Exchange IP] any eq 25

access-list 100 deny tcp any any eq 25

This will allow Exchange but block everything else.

2. This has to be the interface IP.

3. With the configuration of 1, you don't need to do this.

0 Helpful

junshah22
Level 1
Level 1
In response to Collin Clark

‎12-01-2009 08:32 PM

Hi Collin,

Thanks for your support,

If i use my existing config shown in my first post with your advised configuration for blocking smtp traffic except MS-Exchange, well, it will be helpful as well my live ip blockage is concern,

I have only 2 WAN Ports on my Router, Cisco 2811, I am using fa0/0 for inside and fa0/1 for outside,,

please advise, how could i dedicate my one live ip for VPN, one for exchange, and the other pool for net surfing,,,,

As I am already trying to make a pool and to overload it, will it be helpful? or is this the correct way?,,

Please Advise

Thanks

Junaid

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to junshah22

‎12-02-2009 07:27 AM

For a static nat to your exchange server-

ip nat inside source static 192.168.74.99 55.55.55.3

The VPN will always use the IP of your outside interface.

A nat pool for users-

ip nat pool TEST 55.55.55.2 55.55.55.2 netmask 255.255.255.0
ip nat inside source list 7 pool TEST
access-list 7 permit 192.168.74.0 0.0.0.255

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Make sure you lab it up before implementing as I'm not 100% sure if the TEST pool will overload.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card