Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1768
Views
0
Helpful
3
Replies

Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

Go to solution
chrisinternet
Level 1
Level 1

‎12-02-2014 08:17 AM - edited ‎03-03-2019 07:41 AM

Hi,

I'm a new Network admin, and I have some configuration questions about my installation (see attachment).

I have 3 web servers behind a router.

Public interface: 3 public ip adresses

Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)

I would to know the best way to redirect http traffic to the right server.

My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.

 

So if you have some advise for this case, it would be really appreciated.

 

Thank you.

 

Chris.

 

 

Labels:
Preview file
47 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
fogemarttt
Level 1
Level 1

‎12-05-2014 03:21 AM

Hello Christophe,

As I understand you want 1st that ; 

if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 

That means, you need static mapping between your public @ip address and your local ip address. 

for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 

that is the config for the Web Server1. You can do the same with the remaining servers:

 

interface fa0/0.1 

ip nat inside

 

interface serial0/0

 ip nat outside

 

!

ip nat inside source static 192.168.1.10 172.1.2.3 

static mapping from local to public. 

I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 

ip route 171.1.2.3 interface serial0/0 

or 

ip route 0.0.0.0 0.0.0.0 interface serial0/0. 

 

After these step for each web server, you will get the mapping. 

 

Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 

 

like

ip access-list extended ACL_WebServer1

permit ip any 192.168.1.10 eq www

deny ip any 192.168.1.10

exit

!

 

interface fa0/0.1

 ip acess-group ACL_WebServer1 in

 

no shut

exit

!

 

That is the first step. 

 

Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 

I am not sure that it is possible using cisco router with (ZBF + Regex).

 

Check the first step and let us know ! 

Please rate and mark as correct if it is the case. 

 

Regards,

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
fogemarttt
Level 1
Level 1

‎12-05-2014 03:21 AM

Hello Christophe,

As I understand you want 1st that ; 

if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 

That means, you need static mapping between your public @ip address and your local ip address. 

for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 

that is the config for the Web Server1. You can do the same with the remaining servers:

 

interface fa0/0.1 

ip nat inside

 

interface serial0/0

 ip nat outside

 

!

ip nat inside source static 192.168.1.10 172.1.2.3 

static mapping from local to public. 

I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 

ip route 171.1.2.3 interface serial0/0 

or 

ip route 0.0.0.0 0.0.0.0 interface serial0/0. 

 

After these step for each web server, you will get the mapping. 

 

Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 

 

like

ip access-list extended ACL_WebServer1

permit ip any 192.168.1.10 eq www

deny ip any 192.168.1.10

exit

!

 

interface fa0/0.1

 ip acess-group ACL_WebServer1 in

 

no shut

exit

!

 

That is the first step. 

 

Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 

I am not sure that it is possible using cisco router with (ZBF + Regex).

 

Check the first step and let us know ! 

Please rate and mark as correct if it is the case. 

 

Regards,

 

 

 

0 Helpful

Go to solution
chrisinternet
Level 1
Level 1
In response to fogemarttt

‎12-08-2014 08:37 AM

Hi fogemarttt,

Thank you for your help.

It works nice for the NAT, but I need to change my configuration, because i can't filter URLs with my router. I'll probably keep static NAT with ACL only and put firewalls on servers.

 

 

0 Helpful

Go to solution
fogemarttt
Level 1
Level 1
In response to chrisinternet

‎12-08-2014 11:25 PM

Hi Christophe,

you are most welcome and let us know if you have problem with your firewall configuration or design.

 

Regards,

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents