CISCO C1121-4P DMZ CONFIGURATION

apalacios · ‎08-12-2024

Dear all,

I am configuring a network comosed by the next devices:

- Router Cisco C1121-4P

- Fortigate Firewall

Configuration on the router is the next: One port is confifured by PPOE, the ISP provides automatically the public IP. Another port is configured with an IP on the network 192.168.10.X/24. This network only connect Firewall and router.

If I connect all the devices and I try to navigate on internet, system allows a device to connect to internet.

The problem is when I try to connect form outside to inside, for example, to manage the firewall remotely. Something on the router is disallowing me thsi communication.

I want to ask if anyone knows any command which set router as DMZ router. I am interested on manage the traffic from the firewall, not from the router.

Thank you in advance!

DanielP211 · ‎08-13-2024

Hello!

You will have to setup NAT on the C1121-4P. ISP interface will be nat outside, and the other one nat inside. You will also need a static nat statemet that will translate the public IP to the private IP of the firewall. Let me also note that your design dosen't seem optimal. What is the point of the router if you will direct all traffic only to the firewall? Why wouldn't you connect the firewall directly to the ISP? If you need more detailed configuration I can provide you a template.

BR

****Kindly rate all useful posts*****

apalacios · ‎08-13-2024

Hello!

I have already configured NAT interface as you told. I configured NAT translation as overload NAT translation instead of an static NAT translatios, does it make any difference?

About the network, I also think it is better to connect ISP directly to the firewall, but it is designed by an external person who want to manage it like it. I have same opinion, it is unefficient.

Thank you!

DanielP211 · ‎08-13-2024

If you want to connect to the firewall over the internet/in your case the pppoe link to the https of the forty. You will have to create a PAT - port address translation. Something like this:

ip nat inside source static tcp 192.168.10.XX 8443 PPPOE_IP_ADDRESS 443 extendable

BR

****Kindly rate all useful posts*****

MHM Cisco World · ‎08-14-2024

The big difference between static and dynamic NAT is directional

Static is bidirectional' i.e. you can access from inside to outside and from outside to inside.

Dymanic only use for inside to outside

So as @DanielP211 mentioned ypu need PAT to access FW from Internet

MHM

MHM Cisco World · ‎08-13-2024

can you share the topology

MHM

apalacios · ‎08-13-2024

Hello,

on the shared picture you will be able to see the topology. Sorry for the quality.

MHM Cisco World · ‎08-13-2024

Thanks

MHM

DanielP211 · ‎08-13-2024

FW is not between ISP and router. Its the other way around. The router is inbetween both. So PAT has to be done on the router to access to FW from outside.

BR

****Kindly rate all useful posts*****

MHM Cisco World · ‎08-14-2024

Thanks

MHM

DanielP211 · ‎08-14-2024

The firewall is not connected directly to the ISP. Please refer to the topology image and the description in the initial question.

BR

****Kindly rate all useful posts*****

apalacios · ‎08-26-2024

Then, the options are to configure Dynamic NAT and PAT on the router , or configure only static NAT?

If I am wrong please, correct me. Thank you!