04-17-2004 02:56 PM - edited 03-02-2019 03:04 PM
Hello All:
I need put a firewall up behind a 2621 router on a line which will be running several web and mail servers. Just starting out with Cisco routers so I just want to make sure the config is good.
Thanks in Advance
The Firewall Network Config:
LAN IP - 10.0.2.250
WAN IP - 63.138.226.130
GW - 63.138.226.129
Router config:
Current configuration : 2032 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EMSI-2621
!
logging queue-limit 100
enable secret xxxxx
enable password xxxx
!
ip subnet-zero
Interface FastEthernet0/0
ip address 10.0.2.100 255.255.255.0
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
description NETZOA T1
ip address 63.148.x.x.x.255.252
encapsulation ppp
no ip mroute-cache
no fair-queue
no cdp enable
!
interface FastEthernet0/1
description Firewall WAN
ip address 63.148.x.x.x.255.192
ip route-cache same-interface
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/1
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
router rip
version 2
network 10.0.0.0
!
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
04-17-2004 06:01 PM
Why would you have your LAN segment connected to the router in front of the FW rather than behind the FW.
Hope this helps,
04-18-2004 02:05 AM
Router - Firewall - LAN, what's the problem with that?
04-18-2004 03:32 AM
Hello,
the config looks ok, as far as I can see. I assume you want to create a DMZ in your setup, with the firewall put behind, and not in front of, the router ?
Regards,
Georg
04-18-2004 04:34 AM
Thanks, that's the idea. The reason I posted because I did a test of this yesterday and ran into a strange issue, I was able to ping the web server and mail server behind the firewall but could not access web pages from outside nor could I connect to prot 25 on the mail server.
Figured it was rules on the firewall but that wasn't it. rules are pretty straight foreward, allow WAN to LAN, ports 80 and 25 to their respective servers.
Couldn't figure out the issue.
04-18-2004 06:28 AM
Are you pinging from outside of the firewall, if so, did your rules allow pings to the servers. Test your rules on the firewall by turning all rules off, i.e. disabling firewall and allowing all traffic.
You might to give the config of the firewall.
04-18-2004 07:03 AM
The DMZ would normally be connected to the FW, not the external router, right? I'm also intrigued by the fact that he is running RIP on that DMZ. Who are we running RIP with?
My 2 cents,
04-18-2004 07:01 AM
What is Fa0/0 then? That is the part that I'm worring about.
04-18-2004 07:13 AM
FA0/0 was just a matter of convenience for me so I could connect via telnet to the router. From everyone's point of view I'm gathering is that the config looks functional. The issue sits with the firewall.
Is this safe to assume? As mentioned in the first post, not the router expert by no stretch, so i'm sure there are things in the config that could be cleaned up. Just trying to make sure it is not the router causign the issues. That's what I know the least about.
04-18-2004 07:48 AM
It might be a type error, the ip address of the firewall and the router are not on the same subnet.
Firewall: 63.138.226.130
Router: 63.148.226.129.
Please confirm or correct.
Do we assume that the rip configuration is for you to be able to telnet into the router?
04-18-2004 09:34 AM
yes both questions, just notice the .138 which should be .148.
04-19-2004 10:16 AM
As previously mentioned, just check your typo regarding 138 & 148. If all you have your LAN tap is for simple telnet access, you can potentially be better of just using a static route and curbing the use of RIP all together. Since it's simply just one network your broadcasting, it can be pointless to do so when a simple route statement can be inserted into the routing table.
Also if you cannot access the web server from external->DMZ I'm assuming your using an ACL and labling your DMZ to be say port fe0/1, etc... In which case just check your source and destination regarding the actual ACL. It sounds like your just blocking the ports. You can do maybe:
access-list 101 permit tcp any eq 80
access-list 101 permit tcp any eq 25
!goto external interface config t wise
config-if)#ip access-group 101 in
If you have your basis covered routing wise to your DMZ port and the subsequent servers on it, you should then be able to get the traffic over to the server you need. Otherwise you still may have to potentially address getting a packet on a certain port coming ingress on your external port to your DMZ port to a specific server that is providing say SMTP or HTTP. I'm assuming that may possibly be your issue since I did not see any ACL portion (I'm assuming that's not your complete config you posted, less if it is, then please let us know)
--j2
04-19-2004 10:31 AM
So to continue a little bit:
Let's say you have your DNS pointing your web site and MX over to
63.138.226.130
This will have your packets comming across as follows:
63.138.226.130:80 for HTTP
63.138.226.130:25 for SMTP
Let's say internally your web server is 10.1.205.2
And your SMTP server is 10.1.205.3
So you still have to get traffic over those ports ingress to the appropriate IP's internally either on your LAN segment, or your DMZ.
I'm not sure if you know how to do so I'll mention that you can just use port fowarding on this one to get the packets were you need them to be:
ip nat inside source static tcp 10.1.205.2 80 63.138.226.130 80
ip nat inside source static tcp 10.1.205.3 25 63.138.226.130 25
!NOTE!! you must lable your external port as:
config-if(external interface))#ip nat outside
config-if(internal interface))#ip nat inside
After that you will definately wanna try running some traffic and monitoring the status of the NAT by doing a "show ip nat translations"
Hope this helps, and best of luck on your config!
--j2
04-19-2004 01:16 PM
Thanks - that's the complete config. I have no ACL's on the router itself, letting the firewall take care of it. I'm also natting from the firewall insead of the router.
So I have FA0/0 63.148.226.129 to my WAN port on the FW (63.148.226.130). Naturally have LAN port on FW to switch.
I have this same setup on a different router and it's working fine. can't figure this one out. Haven't tried again since the post so I'll take all of this in and see what's what.
In the very basic sense though, I cannot see why this simple config didn't work.
04-20-2004 04:08 AM
I guess you would also need a reverse route on the router pointing to the firewall for traffic from outside to access the LAN.
-Sai.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: