Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
4
Helpful
4
Replies

DMZ on a VLAN

sr2470182
Level 1
Level 1

‎12-03-2008 07:44 AM - edited ‎03-06-2019 02:47 AM

Hi All,

I have configured a switchport vlan on a cisco router for my DMZ (to host my Exchange 2007 Edge Transport server)below:

!

interface Vlan5

description DMZ VLAN

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

Questions:

1)Is the config correct?

2) How can I make it very secure?

3) Do I need to configure any of my public (isp) ip address on this interface?

Thank you,

Pls. find below:

Thanks,

law

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎12-03-2008 08:25 AM

1)Is the config correct?

Depends on the rest of the config, but if you can ping the vlan interface or a device in the vlan from the inside, it's working.

You have an "ip nat inside" statement on the vlan, but you didn't show your nat source statements, so I can only assume they're correct. You can try to get on the internet from your exchange server to see if nat's working correctly.

2) How can I make it very secure?

You would need an acl on your public interface to only allow traffic that you want in, and you would probably want an acl on the vlan only allowing the ports you need out from the exchange server.

3) Do I need to configure any of my public (isp) ip address on this interface?

Not if you're going to be using nat. If you have a public address, you can use static nat for the private address that's assigned to your exchange server.

HTH,

John

*please rate if helpful* It helps the forums.

HTH, John *** Please rate all useful posts ***

sr2470182
Level 1
Level 1
In response to John Blakley

‎12-03-2008 08:51 AM

Thanks John,

My NAT source is defined thus:

ip nat inside source list 100 interface Dialer1 overload

!

I can surely get on the internet from the vlan.Hence the NAT is working.

Can you link me to an example ACL configured for this purpose?

Thanks

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to sr2470182

‎12-03-2008 08:59 AM

The acl on the outside interface would be something like:

access-list ext PUBLIC

permit tcp any host 22.22.22.22 eq 25

access-list ext VLAN5-Exchange

permit tcp host 192.168.1.5 any eq 25

ip nat inside source static 192.168.1.5 25 22.22.22.22 25

OR

ip nat inside source static 192.168.1.5 22.22.22.22

This would tell your router that anything coming in on 22.22.22.22 (the public ip assigned to your dialer), will get translated to 192.168.1.5. If you go with the second static, everything that's incoming on your 22.22.22.22 ip will go to the 192.168.1.5 address, and you would control the traffic that's allowed in by your PUBLIC acl. If you go with the first, it will only translate that one port (25) to that internal address.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

sr2470182
Level 1
Level 1
In response to John Blakley

‎12-03-2008 02:21 PM

Thanks John,

Just to further inform you of my condition below:

1) My dialer is dynamically (negotiated)configured

2) I have range (4) of IP Address from my ISP

Thanks once again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card