05-12-2008 02:30 AM - edited 03-03-2019 09:54 PM
I believe my scenario is far more complicated then I thought it was.
I've more then one IP range (vlans), starting from 192.168.1.x to 20.x, include the 101.x and 200.x too. Another subnet is 10.10.1.x with vlan9 tag.
The 192.168.1.x is server range and needs access for fetching mails etc, hence Leased Line will be used by this subnet. Some users might want to connect from outside to the mail servers.
All of other subnets will be using (83.x.x.195) Adsl1 router for web access, except vlan9 which is 10.10.1.x, and will be using (83.x.x.196) Adsl2 rtr.
Another thing, I'm using another vlan (vlan22) to aggregate and connect the three routers to the firewall. Will it make sense not using or wasting any of my global IP on this vlan.
Some info:
Internal IP 192.168.x.x/24 (for all vlans)
users with IP 192.168.x.x using first ADSL
users with IP 10.10.1.x using second ADSL
servers with IP 192.168.1.x using Leased Line
Core Switch IP: 192.168.101.1
Firewall IP inside 192.168.101.2
Firewall IP outside 83.x.x.194
Leased Line assigned IP: 83.x.x.192 255.255.255.240
LeasedLine router IP: 83.x.x.193
ADSL router IP: 83.x.x.195 (do I need NAT of 83.x.x.192 to this ADSL int?)
ADSL router IP: 83.x.x.196 (do I need NAT of 83.x.x.192 to this one too?)
-=-=-=-=-=-=-=-=-=-=-=-=-
Firewall config
-=-=-=-=-=-=-=-=-=-=-=-=-
ip address inside 192.168.101.2 255.255.255.0
ip address outside 83.x.x.194 255.255.255.240
global (outside) 1 interface
global (outside) 10 83.x.x.197
global (outside) 20 83.x.x.198
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 10 192.168.0.0 255.255.0.0
nat (inside) 20 10.10.1.0 255.255.255.0
static (inside,outside) tcp 83.x.x.199 smtp 192.168.1.206 smtp netmask 255.255.255.0
static (inside,outside) tcp 83.x.x.200 https 192.168.1.206 https netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 83.x.x.193 1
In the config above, I've devised static nat for the email server, will it work for the teleworker to connect to mail. Do I also need to change something on the access list, like the one below?
access-list acl_out permit tcp any host 83.x.x.199 eq smtp
access-list acl_out permit tcp any host 83.x.x.199 eq www
access-list acl_out permit tcp any host 83.x.x.199 eq https
access-list acl_out permit tcp any host 83.x.x.199 eq 3389
access-list acl_out permit icmp any any
Other then that, do I need to have a routes to all inside vlans (I'm not sure why I need it :-P ), like the one below:-
route inside 192.168.x.0 255.255.255.0 192.168.101.1 1
-=-=-=-=-=-=-=-=-=-=-=-=-
I think I might not need to configure anything on the ADSL routers, only leased line router might do the trick, if yes, then, is this config enough to do the tasks I want it to do?
-=-=-=-=-=-=-=
Router with leased line
-=-=-=-=-=-=-=-=-=-=-=-=-
The router interface is configured for policy based routing.
interface FastEthernet0/0
ip address 83.x.x.193 255.255.255.240
ip policy route-map adsl
ip route 0.0.0.0 0.0.0.0 Serial0
ip access-list extended ADSL-list1
permit ip host 83.x.x.197 any
ip access-list extended ADSL-list2
permit ip host 83.x.x.198 any
Other then the access list, the route map is as follows.
route-map adsl permit 10
match ip address ADSL-list1
set ip next-hop 83.x.x.195
route-map adsl permit 20
match ip address ADSL-list2
set ip next-hop 83.x.x.196
route-map adsl permit 30
set default interface Serial0
-=-=-=-=-=-=-=-=-=-=-=-=-
Now the question is, what did I missed and will it work?
P.S: I haven't tried this configuration till now. Just need confirmation if this is the right way to do it.
05-13-2008 12:37 AM
first, let us start with Firewall:
i don't think that we need these commands:
global (outside) 1 interface
global (outside) 20 83.x.x.198
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 20 10.10.1.0 255.255.255.0
because these commands doing natting for something we don't need it to pass from the firewall, we need firewall only for servers VLAN and instead for these commands that doing natting for all VLANs
global (outside) 10 83.x.x.197
nat (inside) 10 192.168.0.0 255.255.0.0
we can do it for only servers VLAN:
global (outside) 10 83.x.x.197
nat (inside) 10 192.168.1.0 255.255.255.0
about the access list if you are only use this server 83.x.x.200 so it is enough but u r using this server too: 83.x.x.200 so u need same access list for this server
also you don't have to put route to all VLANs because the firewall is only for servers VLAN but if you did that so it is ok you will not loose anything :D
==============================================
you don't have to change any thing in ADSL router if the servers of servers VLAN routed to LL route, but if not i think u have to do something to enforce the servers VLAN traffic goes to LL Route when these traffic goes to ADSL router.
But let us try to go to easier way "which the same last way but without to miss anything because i believe in it" and that by putting static IP for servers but here we have to change the default gateway of the servers in server VLAN to internal Firewall interface but that must be done after u change the internal IP address to some thing that agree with servers VLAN and don't forget to change the VLAN access mode in the Switch that connected to that interface :D
by doing that u will enforce the servers to take the Pix firewall route which is the LL route
==============================================
so let us say that now the traffic arrived to pix then the pix apply to it natting rules and route them to the LL-Router
so now let us check the LL-Router:
first, i don't think that u have to put policy route map on outside interface because by using the last configuration the only traffic that will arrived to it is the servers VLAN traffic so u have only to route them to outside and route there comming traffic to inside interface back to firewall
because the firewall just allowing the servers VLAN traffic to pass throught it and forbid the others and LL-Router is behind firwall, i think that :D
so u have to add back route:
ip route 83.x.x.199 255.255.255.255 83.x.x.194
ip route 83.x.x.200 255.255.255.255 83.x.x.194
so after that we don't need any access list and route map for LL-route i think they are useless /:)
-------------------------------------------
05-15-2008 01:07 AM
Thanks Bassel for the input, but as I discussed with you earlier, the scenario is different and won't work that way. There is a switch in between the firewall and the routers. I believe this should work.
I also hope that experts from this forums might give a prompt reply on the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide