Protecting a public IP server thats not NATTED

Kudetauk77 · ‎10-26-2018

Hi All

I have been given requirements by out it staff that they need to configure a server with a public IP address , This would not have a NAT , Can any one explain if its possible to protect this server behind our firewall ? As this will be on the public facing Vlan I am not sure I can

Thanks

Craig

gbekmezi-DD · ‎10-26-2018

By default, the firewall will not permit traffic from the outside to an inside network so the server will be protected unless you explicitly permit traffic to it. Additionally, if you are using FTD, you will be able to make use of the IPS to detect and potentially stop other malicious activity.

Kudetauk77 · ‎10-26-2018

Hi Thanks for the input ,

But the public IP is already outside the firewall on the public facing Vlan ( same vlan as the outside interface of the firewall ) then its already in front as its not natted. So traffic would hit it directly ....I think

balaji.bandi · ‎10-26-2018

Do you consider DMZ ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mkazam001 · ‎11-03-2018

Here's a generic config for allowing access from the Internet to a DMZ web server on port 80:

object network WEBSVR-EXT
host 100.1.1.10
object network websvr-int
host 172.16.0.10
nat (dmz,outside) static WEBSVR-EXT service tcp 80 80
access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 80

Access to the server is controlled on the last line above.

Useful to run packet tracer to verify config too.

Hope that helps!

Azam