Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
3
Replies

Firewall best practices; securing a cluster

Go to solution
benlemasurier
Level 1
Level 1

‎02-22-2011 09:43 AM - edited ‎03-11-2019 12:54 PM

I'm in the process of setting up a firewall/router for a cluster of servers. I'm looking for suggestions as to what may be the best approach for routing/firewalling.

Currently, each machine has its own external IP address, and its own firewall. I'd like to allow each machine to retain a public IP address, but offload all  access control to the router (2911 ios 15.1/k9). Assuming the datacenter has given me a public subnet, i,e. 172.144.132.32/27 - will I have to re-subnet the block? What is the best approach to take here?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to benlemasurier

‎02-22-2011 12:36 PM

Hi Ben,

NAT is not required if you already have public IPs that are routable on the Internet. You could use NAT, though, if you didn't want to re-address your servers but still use the public IPs that the data center provided you (I'm assuming the IPs given to you by the data center are different from the ones you said were already assigned to the servers). NAT would let people connect to the addresses the data center gave you, and the router would translate them to the addresses you already assigned to your servers.

-Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎02-22-2011 12:15 PM

Hi Ben,

The most common way to do this would be to configure the servers with a default gateway of the router. This way, all traffic to and from the servers from other networks/subnets will have to pass through the router first, thus allowing you to perform the access control you're looking for.

The most basic form of access control would be to setup simple access-lists on the router to permit/deny traffic. If you want additional firewall features, you would want to use the Zone Based Firewall feature:

https://supportforums.cisco.com/docs/DOC-13507

As for the server's addresses, you don't have to re-address them unless you want to. You can use NAT on the router to translate the addresses between what is assigned to the server and what is provided by the data center.

Hope that helps.

-Mike

0 Helpful

Go to solution
benlemasurier
Level 1
Level 1
In response to mirober2

‎02-22-2011 12:33 PM

Thanks, Mike!

Just to clarify, if I have all traffic pass through the firewall by setting the default gateway to the router, will this require NAT?

Thanks again,

Ben

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to benlemasurier

‎02-22-2011 12:36 PM

Hi Ben,

NAT is not required if you already have public IPs that are routable on the Internet. You could use NAT, though, if you didn't want to re-address your servers but still use the public IPs that the data center provided you (I'm assuming the IPs given to you by the data center are different from the ones you said were already assigned to the servers). NAT would let people connect to the addresses the data center gave you, and the router would translate them to the addresses you already assigned to your servers.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card