Troubleshooting college lan

drarvindc · ‎09-02-2006

I work in a college and given below are the specifications and questions

we have lease line (256 kbps), modem (keymile lecar), cisco router (cisco 1721), proxy server (winxpsp2 running winproxy v 2.1R2h), Fortinet firewall (fortigate 60).

I face the following problem:

1. Cannot access irc networks (ports seems blocked).

2. cannot access website's or computer's from outside LAN (i.e. from internet).

3. Needs upgrading proxy software, which i think may hold the key to solve the above problems. which proxy software can sort these kind of problems.

4. cannor access router's interface (internal or external ip unknown).

5. Router provider has access to router and they say by default no ports are blocked.

6. Have setup a web server but cant access the public IP assigned to it, as web server is behind proxy, router, fortinet firewall.

7. what is the proxy software used by Internet provider's, I donot face these problems in my dsl connection.

8. cannot ping to broadcast IP from pc in the lan.

9. if i ping google.com then it resolves the ip of google but says request timed out.

10. cannot telnet router from within LAN, but can telnet and access it from outline lan.

11. As i saw and feel that lease line comes to modem, then to router, then to firewall and then to proxy server.

12. I have access to router (telnet) and proxy server (direct access).

Please guide me to sort out the above stated problems. If needed i would provide additional information by asking respective staff or providers.

cisconoval · ‎09-03-2006

Check your Fortigate Firewall whether the traffice are allowed to travell the outside.

It sounds he porblem might be in your Firewall configuration.

drarvindc · ‎09-05-2006

Hi,

sorry for late reply, during setting up i screwed up with settings and my internet was down :p.

Now i put a switch in between router and firewall and have routed the college internet via firewall onto proxy, and got a direct connection from router for my webserver. got the ip assigned to it.

However, i donot wish to bypass firewall due to security reasons and therefore need way to route webserver through firewall.

i am a newbie in these matters given below is the actual configuration for my router and firewall.

Router:

external Ip. 202.141.xxx.xxx

where as firewall uses a private Ip (192.168.1.xx) pattern.

and proxy again uses private ip (192.168.0.xx)

and we dont have a network admin. :P

if i place my webserver behind firewall i dont know what would be the settings.

DMZ seems a option. i do have a DMZ on my firewall. may be i need to read more about DMZ.

dhavaltandel · ‎09-04-2006

Hi

For your question 3

ProxyI is the software feel good to use. But make sure you are havin Internet coneection workin on the proxyserver.

For question 6

Web server do not work behind proxy you have to have assgned it atleast private ip adress range and has to make translation entry in your router.

Can u clerify can you login to router or not...if yes can you paste the sh run here...

regards,

Dhaval Tandel

scottmac · ‎09-04-2006

By default, a firewall will block all ports; each needs to be configured to pass traffic for that service/protocol.

Move the web server to a DMZ and configure the firewall for access ... usually a static NAT is a minimum config.

Internet providers usually don't use proxies. They provide the pipe and (usually by contract) security is the responsibility of the end-user organization.

Given the setup you provide in point 11, the router should be set to filter/drop/ignore all inbound traffic to the LAN interface (by ACL on the LAN interface), unless it comes from the proxy (including pings). Make sure your clients are set to use the proxy.

The proxy probably also needs configuration that establishes what protcols to pass or filter (and log).

Start at the top and work your way back;

configure the router with a course filter to block the basic bad stuff (private IPs on the WAN, ping, etc), configure the firewall for the acceptable traffic to pass, setup the DMZ, move your webserver to the DMZ.

Then move to the proxy and configure acceptable traffic and logging policies.

Configure the DHCP server to provide the correct configuration to the clients for default gateway, proxy, DNS, etc.

Good Luck

Scott

drarvindc · ‎09-07-2006

Thanks for the reply.

I solved the problem. For now i bypassed the proxy and firewall by putting up a switch in between the router and firewall. My firewall has been assigned a private IP and i Think, for my server to have Public IP and at the same time to be behind the firwall also. MY firewall should have public IP too. Please confirm this.

regards

arvind

dhavaltandel · ‎09-08-2006

Hi

The design is okay but better way to put web server is on private ip address. and putting firewall device at front on public ip address provides you better security. By default firewall block all ports you just need to allow your required ports. Additionally to implement server on private ip address range you can go for translation as well for internet browsing too.

regards,

Dhaval Tandel