Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
0
Helpful
1
Replies

How to move server from behind NAT to DMZ?

paul
Level 1
Level 1

‎08-09-2005 10:42 AM - edited ‎03-05-2019 11:36 AM

We have a block of IP addresses and have assigned various internet-facing servers public addresses using the following (on a 1760):

ip nat inside source static tcp i.i.i.i port e.e.e.e port extendable

Incoming and outgoing mail works just fine until the mail server reports its name as mail.domain.com but with the public ip of the FastEthernet (NAT) interface. There are reverse dns issues and mail will occasionally be bounced:

Received: from mail.domain.com (unknown [x.x.x.x])

by mail.domain2.com

(where x.x.x.x is the internet-facing interface of the 1760)

I'd like this to happen:

Received: from mail.domain.com (unknown [e.e.e.e])

by mail.domain2.com

(where e.e.e.e is the public ip assigned to the mail server)

From what I've read, the mail server should sit in a dmz with its own public ip address but I'm not too sure exactly how to make the change.

Presumably I pick an unused FastEthernet interface, enter "no shutdown" and hang a switch off that... but do I give it an ip address? Do I give the mail server a public ip, does it keep its private ip, does it need a new private ip for the dmz, or both? How does the routing work?

I think I know what to do but am stuck on how to go about it. A prod in the right direction would be very much appreciated.

Labels:
0 Helpful
1 Reply 1

paddyxdoyle
Level 6
Level 6

‎08-10-2005 12:10 PM

Hi,

I think you are correct in your thinking.

I would create a new private network using an unused FastEthernet interface on your router and hang a switch off this interface for the servers.

You could have one private network for all your DMZ servers and NAT them on your router, you could also have private VLANs configured on this switch meaning that a server in the DMZ can only communicate with the interface that connects to the router and not any other interface in the same VLAN. This way you could have an access-list on the router stopping internal servers on the DMZ from seeing each other should one of them be compromised.

Another option would be to have multiple VLANs on your switch, say one for each server. You could then trunk these VLANs to your router and create sub interfaces for each VLAN gateway. This allows you to have individual access-lists per VLAN instead of one large access-list for all servers in the DMZ.

Your NAT statements will be similar to what you allready have, however they will have a different private IPs as allocated from your new network range(s).

HTH

PJD

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card