Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
1
Replies

Utilizing Public IP for Web Server on ISR 4321

Zydain
Level 1
Level 1

‎11-11-2021 04:54 PM

I've been working on configuring an ISR 4321 and I need to allow our Web Server to utilize a Public IP Address from our ISP, say x.x.x.34.  I'm not sure where I should assign the Public IP Address.  Should I make it the VLAN 3 ip address or the encapsulation .3 IP address, or am I completely wrong?  Config below if it helps.

 

The setup I'm migrating from, an ASA 5505 in combo with a 2801 allowed the static IPs to be configured directly to the ports on the ASA, and the VLANs on the 2801 and I'm trying to wrap my head around how it'll look on only the ISR as I'm new to configuring firewalls.  Sorry if I'm not providing enough info to make sense.

WAN IP: x.x.x.200
Web Server/DMZ: x.x.x.34

 

 

#show running-config

Building configuration...

Current configuration : 12015 bytes

!

! Last configuration change at 19:07:08 CST Wed Nov 10 2021 by admin

! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin

!

version 16.6

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

!

hostname ciscoisr

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1

enable password 7 “removed”

!

no aaa new-model

clock timezone CST -6 0

!

ip name-server x.x.x.109 x.x.x.110

ip domain name ciscoisr.cisco.com

ip dhcp excluded-address 10.10.11.0 10.255.255.255

ip dhcp excluded-address 10.0.0.0 10.10.10.10

!

ip dhcp pool router-dhcp

network 10.0.0.0 255.0.0.0

default-router 10.10.10.254

 dns-server x.x.x.110 x.x.x.109

!

ip dhcp pool roedhcp

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

 dns-server 206.166.1.110 206.166.1.109

!

ip dhcp pool DMZDHCP

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

 dns-server 206.166.1.109 206.166.1.110

!

!

!

!

!

!

!

!

!

!

subscriber templating

!

!

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-3425543225

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3425543225

revocation-check none

rsakeypair TP-self-signed-3425543225

!

!

crypto pki certificate chain TP-self-signed-3425543225

!

!

license udi pid ISR4321/K9 sn FLM25160AU8

diagnostic bootup level minimal

spanning-tree extend system-id

!

!

!

!

!

object-group network Barracuda_dst_net

 host 10.10.10.3

!

object-group service Barracuda_svc

 tcp eq 22

tcp eq www

tcp eq 123

tcp eq 443

tcp eq 1194

tcp eq 5120

tcp range 5121 5129

udp eq 22

udp eq 80

udp eq ntp

udp eq 443

udp eq 1194

udp eq 5120

udp range 5121 5129

!

object-group network WANtoChildFindWS_dst_net

 host 192.168.1.101

!

object-group network WANtoHBugWS_dst_net

 host 192.168.1.100

!

object-group network WANtoMailServer_dst_net

 host 10.10.10.197

!

object-group service WANtoMailServer_svc

 tcp eq 32000

!

object-group network WANtoVPNHBug_dst_net

 host 10.10.10.32

!

object-group service WANtoVPNHBug_svc

 udp eq 1194

!

object-group network WANtoVPNROE_dst_net

 host 192.168.2.50

!

object-group service WANtoVPNROE_svc

 udp eq 1194

!

!

!

username admin privilege 15 secret 5 "removed"

!

redundancy

mode none

!

!

!

!

!

vlan internal allocation policy ascending

!

!

class-map type inspect match-all DMZtoWAN

  description DMZ outgoing traffic to Internet

match access-group name DMZtoWAN_acl

class-map type inspect match-all HBugLANtoDMZ

  description HBugLAN outgoing traffic to DMZ

match access-group name HBugLANtoDMZ_acl

class-map type inspect match-all WANtoVPNHBug

  description Wan traffic to HBug Open VPN service

match access-group name WANtoVPNHBug_acl

class-map type inspect match-any WANtoChildFindWS_app

match protocol http

match protocol https

class-map type inspect match-all HBugLANtoWAN

  description HBugLAN outgoing traffic to Internet

match access-group name HBugLANtoWAN_acl

class-map type inspect match-all ROELANtoDMZ

  description ROELAN outgoing traffic to DMZ

match access-group name ROELANtoDMZ_acl

class-map type inspect match-all WANtoVPNROE

  description WAN to VPN Server for ROE

match access-group name WANtoVPNROE_acl

class-map type inspect match-all ROELANtoWAN

  description ROELAN outgoing traffic to Internet

match access-group name ROELANtoWAN_acl

class-map type inspect match-all HBugLANtoROELAN

  description HBugLAN outgoing traffic to ROELAN

match access-group name HBugLANtoROELAN_acl

class-map type inspect match-all ROELANtoHBugLAN

  description ROE outgoing traffic to HBugLAN

match access-group name ROELANtoHBugLAN_acl

class-map type inspect match-any WANtoHBugWS_app

match protocol http

match protocol https

class-map type inspect match-any Barracuda_app

match protocol http

match protocol https

class-map type inspect match-any WANtoMailServer_app

match protocol pop3

match protocol smtp

match protocol http

class-map type inspect match-all WANtoChildFindWS

  description Traffic to Child Find Web Server

match class-map WANtoChildFindWS_app

match access-group name WANtoChildFindWS_acl

class-map type inspect match-all WANtoMailServer

  description Traffic to Mail Server

match class-map WANtoMailServer_app

match access-group name WANtoMailServer_acl

class-map type inspect match-all Barracuda

  description WAN traffic to Barracuda

match class-map Barracuda_app

match access-group name Barracuda_acl

class-map type inspect match-all WANtoHBugWS

  description WAN to HBug website

match class-map WANtoHBugWS_app

match access-group name WANtoHBugWS_acl

!

policy-map type inspect HBUGLAN-ROELAN-POLICY

class type inspect HBugLANtoROELAN

  drop

class class-default

  drop log

policy-map type inspect ROELAN-HBUGLAN-POLICY

class type inspect ROELANtoHBugLAN

  drop

class class-default

  drop log

policy-map type inspect WAN-HBUGLAN-POLICY

class type inspect Barracuda

  inspect

class type inspect WANtoVPNHBug

  inspect

class type inspect WANtoMailServer

  inspect

class class-default

  drop log

policy-map type inspect ROELAN-WAN-POLICY

class type inspect ROELANtoWAN

  inspect

class class-default

  drop log

policy-map type inspect HBUGLAN-WAN-POLICY

class type inspect HBugLANtoWAN

  inspect

class class-default

  drop log

policy-map type inspect HBUGLAN-DMZ-POLICY

class type inspect HBugLANtoDMZ

  inspect

class class-default

  drop log

policy-map type inspect DMZ-WAN-POLICY

class type inspect DMZtoWAN

  inspect

class class-default

  drop log

policy-map type inspect WAN-DMZ-POLICY

class type inspect WANtoHBugWS

  inspect

class type inspect WANtoChildFindWS

  inspect

class class-default

  drop log

policy-map type inspect ROELAN-DMZ-POLICY

class type inspect ROELANtoDMZ

  inspect

class class-default

  drop log

policy-map type inspect WAN-ROELAN-POLICY

class type inspect WANtoVPNROE

  inspect

class class-default

  drop log

!

zone security WAN

description Outside (Internet)

zone security HBugLAN

description Inside (HBug 10.x.x.x LAN)

zone security ROELAN

description Inside (ROE 192.168.2.x LAN)

zone security DMZ

description Inside (DMZ 192.168.1.x LAN)

zone-pair security DMZ-WAN source DMZ destination WAN

service-policy type inspect DMZ-WAN-POLICY

zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ

service-policy type inspect HBUGLAN-DMZ-POLICY

zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN

service-policy type inspect HBUGLAN-ROELAN-POLICY

zone-pair security HBUGLAN-WAN source HBugLAN destination WAN

service-policy type inspect HBUGLAN-WAN-POLICY

zone-pair security ROELAN-DMZ source ROELAN destination DMZ

service-policy type inspect ROELAN-DMZ-POLICY

zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN

service-policy type inspect ROELAN-HBUGLAN-POLICY

zone-pair security ROELAN-WAN source ROELAN destination WAN

service-policy type inspect ROELAN-WAN-POLICY

zone-pair security WAN-DMZ source WAN destination DMZ

service-policy type inspect WAN-DMZ-POLICY

zone-pair security WAN-HBUGLAN source WAN destination HBugLAN

service-policy type inspect WAN-HBUGLAN-POLICY

zone-pair security WAN-ROELAN source WAN destination ROELAN

service-policy type inspect WAN-ROELAN-POLICY

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface GigabitEthernet0/0/0

description Primary WAN

ip address x.x.x.200 255.255.255.248

ip nat outside

zone-member security WAN

speed 100

negotiation auto

spanning-tree portfast trunk

!

interface GigabitEthernet0/0/0.2

encapsulation dot1Q 2

zone-member security ROELAN

!

interface GigabitEthernet0/0/0.3

encapsulation dot1Q 3

zone-member security DMZ

!

interface GigabitEthernet0/0/0.4

encapsulation dot1Q 4

zone-member security HBugLAN

!

interface GigabitEthernet0/0/1

description Test WAN

no ip address

shutdown

speed 100

negotiation auto

spanning-tree portfast disable

!

interface GigabitEthernet0/1/0

description ROE VLAN2

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

zone-member security ROELAN

spanning-tree portfast trunk

!

interface GigabitEthernet0/1/1

description HBug VLAN4

switchport access vlan 4

switchport mode access

zone-member security HBugLAN

spanning-tree portfast trunk

!

interface GigabitEthernet0/1/2

shutdown

spanning-tree portfast disable

!

interface GigabitEthernet0/1/3

shutdown

spanning-tree portfast disable

!

interface GigabitEthernet0/1/4

shutdown

spanning-tree portfast disable

!

interface GigabitEthernet0/1/5

shutdown

spanning-tree portfast disable

!

interface GigabitEthernet0/1/6

description DMZ VLAN3

switchport access vlan 3

switchport trunk native vlan 3

switchport mode access

zone-member security DMZ

spanning-tree portfast trunk

!

interface GigabitEthernet0/1/7

description DMZ VLAN3

switchport access vlan 3

switchport trunk native vlan 3

switchport mode access

zone-member security DMZ

spanning-tree portfast trunk

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip nat inside

zone-member security ROELAN

!

interface Vlan3

ip address 192.168.1.254 255.255.255.0

ip nat inside

zone-member security DMZ

!

interface Vlan4

ip address 10.10.10.254 255.0.0.0

ip nat inside

zone-member security HBugLAN

!

ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload

ip nat inside source list 10 interface GigabitEthernet0/0/0 overload

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 x.x.x.200

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

!

!

!

ip access-list extended Barracuda_acl

permit object-group Barracuda_svc any object-group Barracuda_dst_net

ip access-list extended DMZtoWAN_acl

permit ip any any

ip access-list extended HBugLANtoDMZ_acl

permit ip any any

ip access-list extended HBugLANtoROELAN_acl

permit ip any any

ip access-list extended HBugLANtoWAN_acl

permit ip any any

ip access-list extended ROELANtoDMZ_acl

permit ip any any

ip access-list extended ROELANtoHBugLAN_acl

permit ip any any

ip access-list extended ROELANtoWAN_acl

permit ip any any

ip access-list extended WANtoChildFindWS_acl

permit ip any object-group WANtoChildFindWS_dst_net

ip access-list extended WANtoHBugWS_acl

permit ip any object-group WANtoHBugWS_dst_net

ip access-list extended WANtoMailServer_acl

permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net

ip access-list extended WANtoVPNHBug_acl

permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net

ip access-list extended WANtoVPNROE_acl

permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net

access-list 10 permit 10.0.0.0 0.255.255.255

access-list 10 permit 192.168.2.0 0.0.0.255

access-list 10 permit 192.168.1.0 0.0.0.255

!

!

route-map track-primary-if permit 1

 match ip address 197

set interface GigabitEthernet0/0/0

!

!

!

control-plane

!

banner login ^CNo unauthorized access is allowed.^C

!

line con 0

transport input none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password 7 "removed"

login local

length 0

transport input ssh

line vty 5 15

password 7 "removed"

login local

transport input ssh

!

!

!

!

!

event manager applet 40storeShowTech

event none sync no maxrun 31536000

action 001 cli command "enable"

action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"

action 003 file open TECHFILE bootflash:40sh_tech.txt w+

action 004 file puts TECHFILE "$_cli_result"

action 005 file close TECHFILE

!

end

Labels:
0 Helpful
1 Reply 1

Zydain
Level 1
Level 1

‎11-12-2021 07:31 AM

Would it be as simple as making the Public IP LAN address assigned to the VLAN interface?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card