11-11-2021 04:54 PM
I've been working on configuring an ISR 4321 and I need to allow our Web Server to utilize a Public IP Address from our ISP, say x.x.x.34. I'm not sure where I should assign the Public IP Address. Should I make it the VLAN 3 ip address or the encapsulation .3 IP address, or am I completely wrong? Config below if it helps.
The setup I'm migrating from, an ASA 5505 in combo with a 2801 allowed the static IPs to be configured directly to the ports on the ASA, and the VLANs on the 2801 and I'm trying to wrap my head around how it'll look on only the ISR as I'm new to configuring firewalls. Sorry if I'm not providing enough info to make sense.
WAN IP: x.x.x.200
Web Server/DMZ: x.x.x.34
#show running-config
Building configuration...
Current configuration : 12015 bytes
!
! Last configuration change at 19:07:08 CST Wed Nov 10 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password 7 “removed”
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server x.x.x.109 x.x.x.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server x.x.x.110 x.x.x.109
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
!
crypto pki certificate chain TP-self-signed-3425543225
!
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
!
!
username admin privilege 15 secret 5 "removed"
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Primary WAN
ip address x.x.x.200 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
zone-member security DMZ
!
interface GigabitEthernet0/0/0.4
encapsulation dot1Q 4
zone-member security HBugLAN
!
interface GigabitEthernet0/0/1
description Test WAN
no ip address
shutdown
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE VLAN2
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
zone-member security ROELAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
description HBug VLAN4
switchport access vlan 4
switchport mode access
zone-member security HBugLAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/2
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ VLAN3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ VLAN3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface Vlan4
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
!
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 x.x.x.200
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
!
!
ip access-list extended Barracuda_acl
permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
permit ip any any
ip access-list extended HBugLANtoDMZ_acl
permit ip any any
ip access-list extended HBugLANtoROELAN_acl
permit ip any any
ip access-list extended HBugLANtoWAN_acl
permit ip any any
ip access-list extended ROELANtoDMZ_acl
permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
permit ip any any
ip access-list extended ROELANtoWAN_acl
permit ip any any
ip access-list extended WANtoChildFindWS_acl
permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
permit ip any object-group WANtoHBugWS_dst_net
ip access-list extended WANtoMailServer_acl
permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net
ip access-list extended WANtoVPNHBug_acl
permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net
ip access-list extended WANtoVPNROE_acl
permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 "removed"
login local
length 0
transport input ssh
line vty 5 15
password 7 "removed"
login local
transport input ssh
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end
11-12-2021 07:31 AM
Would it be as simple as making the Public IP LAN address assigned to the VLAN interface?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide