As a routers newbie, although with some knowledge about switches, I would like to ask some questions about possible solution for my problem.
Any help, advise, or peace of code will be very appreciated.
Basically I would like to add new piece of network to our existing company LAN.
I have available Cisco 1811 router, so it will be great if all this can be achieved with this router.
There are two pics attached:
First is showing planned topology as follows:
ZONE A - ISP internet access, with static IP
ZONE B - network segment needed for guests, with full internet access and nothing else
ZONE C - two public services, accessible from outside
ZONE D - Citrix Secure Gateway server also accessible from outside, BUT connected to ZONE E as well
ZONE E - existing company LAN, we are actually branch office, connected via permanent site-to-site VPN link to our main office, and our users has limited internet access through main office infrastructure
I tried to sketch possible connections of 1811 ports to the rest of network. As I understand fe0 and fe1 are L3 ports, and fe2-fe9 L2. It seems reasonable to connect WAN to one of fe0/fe1, although I am not sure if fe1, as another L3 port, should be connected to our existing LAN, or to something else. Also I tried to divide all devices to some VLANS
Another pic is showing routes which should be enabled by this solution:
The most critical is, of course, connection between CSG and our LAN (red arrow).
Currently ZONE B and C are connected to ISP via cheap D-Link router/modem with only basic packet filtering/firewall.
I suppose I should go to Statefull inspection. although I don't know if it possible for everything. For example License server in Zone C has some fixed ports expecting incoming traffic. Also Citrix CSG and Xenapp server communicate with ICA protocol, for which I don't know if it is supported by Cisco inspect features.
We might call zones C and D as DMZ, although I don't need connection from E to DMZ, but I need connection from DMZ to E.
I also suppose that connection between Citrix CSG and XenApp should be done by trunking. XenApp is on VLAN 101.
Also, I am not sure how NAT/PAT settings should be configured. For example, if we have statefull inspection of FTP traffic, and as we know that FTP traffic begins at port 21, but then dinamically assigned additional ports for data transfer, how "static" PAT can be done ?
As I mentioned any help, or sample code will be really, really appreciated. I spent a week or so, browsing about these topics, but I'm still confused.