Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Firewall Information for Dummies

First, any help would be greatly appreciated.I have been assigned the task of installing a firewall that involves a few things that I may be unfamiliar with (i.e., PPPoE, or VPNs perhaps). At one location (building), I have a Cisco 1720 router configured as the default gateway for the LAN. Also connected to the LAN is a Netopia R5300 T1 Router (don't ask why Netopia and not Cisco -- politics, I guess) providing the Internet connection (and thence, the default gateway for the 1720). Now, I need to install a firewall somewhere in there. All easy so far. Where I get lost is here: At a remote site, there's a server connected to a cable-modem (i.e., no static IP) that needs to replicate via http with a server that will be behind the new firewall. How would something like this work?

2 REPLIES
Community Member

Re: Firewall Information for Dummies

Hi

well as far as i see, it is a case that can be done with two small commands on the Pix Firewall.

First you have to map the IP address of the server located on the inside network (private addressing) with an global IP address (real IP) using this command:

pix(config)#static (inside,outside) X.X.X.X Y.Y.Y.Y netmask 255.255.255.255

where X.X.X.X is the external IP and Y.Y.Y.Y is the internal IP.

then to make the access to the internal server set only to the http port 80 use the following command:

pix(enable)#conduit permit tcp host X.X.X.X eq 80 any

(watch the "any" at the end of the command, it is because you the server that is connected to the cable modem does not have a static IP)

The only thing left is to introduce the IP address (X.X.X.X) on the server (connected to the cable modem) in order to replicate with him.

Hope that this helps

Wael Dalati

Community Member

Re: Firewall Information for Dummies

Lot of things going on here but let me try...

Is the Netopia provided bythe ISP? Is it DSL? Usually you can interface with the Netopia by coming off a ethernet port of a router or PIX. The 2621 with 2 ethernet will work well. One ethernet is INSIDE and E2 goes to the netopia. That way you can run Cisco commands on the 2621 and it will just send out to netopia. Same with PIX. Hang PIX off the Netopia router with Cross over cable or small switch. Netopia will have to allow all traffic in so if ISP is controlling it.... make sure they are not blocking anything.

Then just allow http in or whatever you need with access list or conduit statements. You can get pretty specific.

On the cable modem end, you will have to worry about Static or Dynamic IP address on outside? So if it is Dynamic.. you must use cross over to another PIX and have a command like "ip address outside dhcp setroute " which will grab a DHCP off the cable modem and set the default route to it whatever the ip address is.

Then if you need to set up VPN find some good documentation on it so you do not have to open HTML ports on the other side. If security is not so important then you do not need VPN just open the html ports for specific IP address from cable modem (if static) or just open it. Maybe to a DMZ?

hope this little helps.

310
Views
0
Helpful
2
Replies
CreatePlease to create content