10-01-2004 04:37 AM - edited 02-20-2020 11:39 PM
Hello all,
I'm trying to validate my configuration before going live and would appreciate if anyone could take a look and make recommendations.
I would like to accomplish the following:
1. Any External user connects to DMZ web server on port 80 (though ultimately 443 will be used), the dmz web server makes a connection to oracle (sqlnet) which sends packets and should be able to receive the replies back
2. smtp connections come in through a public address to a dmz box which in turn sends the message to an internal (inside interface) smtp box for delivery
3. Remote workers may connect to a public ip (204.50.125.138 in the example) on port 443 which will then allow a connection into the inside interface to connect to an internal web server (not a good idea, but i'm working with what i have).
4. I would like to pretty much allow all packets routed from a higher security level (100) to route out the outside interface without being blocked and receive replies back. Do I have it set up correctly?
5. Support VPN users connecting to the Inside nework via the Cisco Secure VPN client.
I've attached my config (with entries changed to protect the innocent). Any feedback would be appreciated!
10-04-2004 09:01 AM
Feedback config:
1.) Never publish public IPs in your config examples.
2.) You used a VPN IP pool that has the same range as the internal interface. This works but might give problems in routing. I usually uses another IP Range for that.
3.) Everything else look good, You could use instead of this:
static (inside,dmz) tcp 10.20.x.y smtp 192.168.0.z smtp netmask 255.255.255.255 0 0
a NAT0 or static for the whole network so that no translation occours for all inside to dmz or web interface traffic. But this should work like that.
sincerely
Patrick
10-04-2004 11:49 AM
Patrick - Thanks for the reply. I've changed the VPN Pool which should also help with security if I choose to place more restrictive rights on it in the future. Thanks for the tip.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide