Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 1710 Fine Tuning

I thought that I posted this message once, but I can't find it anywhere.

Here is the configuration:

External IP Internal IP

Cisco1710 --------------- 204.189.x.x ------------ 192.168.1.1

|

|

Proxy Server ------------- 192.168.1.2 ----------- 192.168.0.94

|

|

--------------------------------------------------------------------------

| ............................................... | .............................................. |

Web Server ...................... Mail Server .................... Corporate LAN

How would be the best way to configure this setup to ensure that the only entry from the outside is via the link from the webserver that is based at the domain host and the pages on the internal server, any mail being bounced by the domain host to 'mail.<domain name>.org' port 25, any authorized VPN users, and Outlook Web Access (which is hosted on the mail server).

I have the router setup, but it is locked down so tight that I can't get the desired items through. I have removed the router from the path and set the proxy server back up as the external connection with the 204.289.x.x address. The valid IP ranges to the network have the possible ranges of 98 to 101 with 102 being the gateway provided by the broadband ISP.

If you have an example IOS 12.2 script for this configuration, I would be ecstatic. You may post it or e-mail it to me at 'joeburns@callageek.com'.

Thank you,

Joe Burns, President

CompuGeek, L.L.C.

1 REPLY
Silver

Re: Cisco 1710 Fine Tuning

I'm not sure what role the proxy server is playing. You could remove it altogether and instead use NAT on the 1710. The setup would then be something like the one below

internet/Outside

|

|

|

1710

|

|

|

|

Corporate LAN

1) The 1710 could be your VPN tunnel endpoint

2) The devices on the corporate lan and all servers available to users from the outside could use private addresses and use NAT/PAT while going outside.

3) Configure static NAT for servers (mail/web) thus allowing users to access them from the outside.

4) Configure access lists to control access. Do not allow outside users to have access to devices on the corporate lan which you want to secure; Allow users to access the public/web/mail server but harden your configuration to secure it against attacks.

95
Views
0
Helpful
1
Replies
CreatePlease login to create content