Re: IP ADDRESS ASSIGNMENT

roberts_g · ‎07-15-2004

When config. a router.

1 - Serial Interface connected to ISP fractional T-1

1 - Ethernet Interface connects to hardware firewall

ISP assigns Serial Interface IP -1.2.3.4/29

ISP gives me a block of public IP Address 1.2.4.193 - 1.2.4.198

Do I assign the Ethernet Int an address from the block of addresses given

And assign the Firewall Int an different address from the block?

So S0 - 1.2.3.4

E0 - 1.2.4.193

firewall - 1.2.4.194

then otherside of firewall has private address

currently I do have NAT on the router I would imagine this would have to come off and NAT on the firewall.

thanks,

Geo

david.bradley · ‎07-15-2004

hi,

that's correct. One address for the internal router interface and one address for the firewall interface.

Depending on you firewall, for example you could use another address for a direct mapping to and internal email server address and other types..

Dave

roberts_g · ‎07-15-2004

Thanks,

Yes the firewall currently has 3 ports.

1 - Router to Firewall (External)

2 - Trusted - to Switch for Internal LAN

3 - Optional - DMZ (web,email, etc)

roberts_g · ‎07-15-2004

Here is my config IPs are fake but you get the idea.

Any suggestions? I want to make sure everything is sound before I do it.

Building configuration...

Current configuration : 2778 bytes

!

! Last configuration change at 21:35:20 est Thu Jul 8 2004

!

version 12.1

no service single-slot-reload-enable

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname router15

!

logging rate-limit console 10 except errors

enable secret

!

memory-size iomem 25

clock timezone est -5

ip subnet-zero

no ip source-route

no ip gratuitous-arps

no ip finger

no ip domain-lookup

!

no ip bootp server

ip audit attack action alarm drop reset

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 100

!

cns event-service server

!

interface FastEthernet0

description connected to EthernetLAN

ip address 172.22.1.15 255.255.255.0

ip nat inside

speed auto

full-duplex

!

interface Serial0

description connected to Internet

ip address 1.2.3.242 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

encapsulation ppp

service-module t1 clock source internal

service-module t1 timeslots 13-24

service-module t1 remote-alarm-enable

!

router rip

version 2

passive-interface Serial0

network 172.22.0.0

no auto-summary

!

ip nat inside source list 1 interface Serial0 overload

ip nat inside source static tcp 172.22.1.13 3389 1.2.3.242 3389 extendable

ip nat inside source static tcp 172.22.1.13 21 1.2.3.242 21 extendable

ip nat inside source static tcp 172.22.1.13 80 1.2.3.242 80 extendable

ip nat inside source static udp 172.22.1.13 1433 1.2.3.242 1433 extendable

ip nat inside source static tcp 172.22.1.13 1433 1.2.3.242 1433 extendable

ip nat inside source static tcp 172.22.1.12 5631 1.2.3.242 5631 extendable

ip nat inside source static udp 172.22.1.12 5632 1.2.3.242 5632 extendable

ip nat inside source static udp 172.22.1.10 5632 1.2.3.242 5632 extendable

ip nat inside source static tcp 172.22.1.10 5631 1.2.3.242 5631 extendable

ip nat inside source static tcp 172.22.1.156 714 1.2.3.242 714 extendable

ip nat inside source static udp 172.22.1.156 714 1.2.3.242 714 extendable

ip nat inside source static udp 172.22.1.12 3389 1.2.3.242 3389 extendable

ip kerberos source-interface any

no ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

no ip http server

!

logging 172.22.1.12

access-list 1 permit 172.22.1.0 0.0.0.255

no cdp run

banner motd ^C

WARNING: Unauthorized access and use of this

network will be vigorously prosecuted. ^C

!

line con 0

exec-timeout 0 0

login

transport input none

line aux 0

no exec

exec-timeout 0 1

login

transport output none

line vty 0 4

login

!

no scheduler allocate

end

router15#

david.bradley · ‎07-16-2004

Hi,

You want to apply the first address from your block of public IP Address 1.2.4.193 - 1.2.4.198 to the fa0 interface. Another address from that block should go on the external interface of your firewall.

Then, remove NAT from you router and move the NAT to the firewall.

The existing static nat mappings in the router should be covered by some form of port forwarding on your firewall.

roberts_g · ‎07-16-2004

So I change those addresses to be public addresses in the block and just take all the NAT statements out.

Any suggestions on a better router config. Kind of new to it. Just want to make sure it is okay. I'll probably get into ACLs eventually. WEB, FTP, E-MAIL, DNS, terminal server are going in and out.

david.bradley · ‎07-16-2004

If you remove the nat from your router everything will pass either way, any controls will pass to your firewall.

As for ACLs I would block RFC 1918 addresses on your s0 interface for a basic anti-spoofing measure... plus I would put and ACL on your VTY line to only allow access from your internal network

Take a look at this document

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml