cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
497
Views
5
Helpful
13
Replies

allowing to internal subnets acces to protected subnet

jschaber1
Beginner
Beginner

Hello All,

I asked this question a few days ago. However, after doing some reading/research I might be better able to properly ask for what I am looking for

In my office I have two subnets 192.168.100.X and 192.168.111.X  Originally I had two offices we have since merged into one location. Each of the subnets has a Cisco router. One is a 891 one is a 2901. Each are set up to access the internet on their own. The 2901 series also is setup with VLAN's for my remaining 9 offices.

In my office I have a Linux servers on a separate 192.168.2.X subnet  192.168.2.4 is our internet server 192.168.2.6 is our intranet server.

 

I have a spare 891 router. I would like to be able to redirect traffic in this location directly to the 192.168.2.X subnet. If I understand correctly I would set each of the subnets 192.168.100.X and 192.168.111.X as Vlans I would assign an address such as 192.168.100.205 and 192.168.111.205 to these subnets

I would set the 192.168.2.X as the WAN port? Assigning it 192.168.2.205

I would use NAT to direct the traffic?

192.168.100.204 would go to 192.168.2.4

192.168.100.206 would go to 192.168.2.6

192.168.111.204 would go to 192.168.2.4

192.168.111.206 would go to 192.168.2.6

Am I correct, or completely going in the wrong direction? Any help is greatly appreciated.

 

Thanks

 

John

13 REPLIES 13

Robert Falconer
Beginner
Beginner

Can you create a quick drawing that shows what you currently have and what you're trying to do?

Hopefully this helps, I have attached a pdf with the basic diagram. Thanks

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

John

So as I understand it using 192.168.100.x as an example you want -

when any 192.168.100.x clients sends traffic to 192.168.100.204 that goes to the new router and is translated to 192.168.2.4 and then sent to the internet server.

And the same for 192.168.100.206 and 192.168.2.6 ?

If so this may be possible but I need to lab it up.

The issue is that you are going to be translating the same IPs (192.168.2.4 and 192.168.2.6) to two different IPs each and the router may not like that although I seem to remember there is a way to do it.

I am assuming you don't care with interface is inside or outside in relation to NAT on the new 891 ?

Can you confirm that the above is what you want to do ?

Jon

Yes. That is correct. I really would like to be able to do this. Any help is appreciated. Thanks

John,

Why do you need to NAT the traffic that's going to your DMZ servers?

Also, I would be wary of setting things up like this. Your internal networks don't have much protection from your DMZ servers if they are connected directly to that 891, especially if you have to put static routes on them as Jon has mentioned.

I would install the 891 as you've shown and just route all 192.168.2.0 traffic to the protected interface of the firewall. Assuming the firewall can do basic routing, it should be able to correctly route back to subnet C by going through the new 891.

Rob

Rob

That's a very good point about the internal networks and the DMZ servers.

I was so focussed on the NAT side of things I didn't consider that at all.

I also didn't spot that the firewall had an interface in the 192.168.100.x IP subnet so I assumed the issue was the 192.168.100.x clients couldn't get to the firewall but they can as the router will simply forward the traffic back out of the same interface.

Which is not something I like doing to be honest but it could be solved by using a new IP subnet between the router and the firewall if needed.

But anyway I like your approach a lot better and I'm going to remove my posts on NAT because you are right it is not the correct thing to do.

Sometimes I get so wrapped up in the details I miss the bigger picture :-)

Jon

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

edited - see Rob's response

Jon

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

edited - see Rob's response.

Jon

True, Additional information probably would be helpful. The firewall is old and is giving me intermittent connectivity issues. I work for a small private non-profit and the Cisco 891 was a resource I had available. Could it be set up to completely replace the firewall?

The use of the 891 depends on your requirements.

I'm pretty sure the 891 can run IOS firewall. A 3 zone setup should be pretty straightforward.

But, it has limitations on throughput since it's a small office device. Depending on the amount of traffic you have on the current firewall, you'll need to determine if an 891 can handle the load. Running security features on routers tends to drop their throughput dramatically.

Have you heard about Meraki, a sort-of recent Cisco purchase? They have a line of security appliances that are very affordable and easy to use. I think the low-end is around $700 and has a pretty good spec. That might be an low-cost option that fits what you need to do.

Yes, I understand. However, I need to have an interim solution. Any help on setting up the router?

It seems like you are adding a lot of additional complexity to your network to avoid replacing your firewall.  How many users approx. are at your location?  Is your organization open to using other firewall solutions that run on commodity/whitebox hardware, so that you can actually replace that faulty device?

Jason Dance
Beginner
Beginner
Agree with Robert, seeing a diagram would be helpful.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: