Solved: Router in bridged mode with firewall behind?

stefanotiburzi · ‎12-20-2011

HI,

I need an advice for a configuration of customer's network.

They had 1 public IP with a cisco router. Then they decide to insert a firewall behind a router for VPN, and want to put another public IP for the firewall.

Now I suppose that I need to put the cisco router in bridged mode, isn't it? I never did this conf. May you help me?

flokki123 · ‎12-27-2011

but both the portal and the GUI are reachable via https(443), to choose between the two options you just would have to enter the right URL in your browser.

if you want to reach the GUI enter https://ip and for the SSL VPN page enter https://ip/portal_name.

on the netgear is a webserver running reachable via https. with the url you can tell the netgear which site on the webserver you want to reach and as long port 443 is forwarded to the netgear you should be fine.

florian

View solution in original post

Mirza Cutuk · ‎12-21-2011

What kind of firewall is it ?

Why not let it handle everything instead ?

Latchum Naidu · ‎12-21-2011

Hi,

Why you want put the router in bridge mode? what is your idea behind this?

In general, you can put the router as it is and facing internet traffic, then behind the router you can firewall for your vpn tunnels and even public facing servers (DMZ).
You can send your all default route from Firewall pointing to your internet gateway (this could be your ISP router IP). This is what the setup I have for one of my customer.

Please rate the helpfull posts.
Regards,
Naidu.

stefanotiburzi · ‎12-21-2011

Thank for your answer. The firewall is a netgear (FVS336Gv2) and the problem is that they purchased it to manage ssl-vpn. This kind of firewall create a ssl-vpn portal with the IP address of the wan interface (e.g. https://10.10.10.10/portal/auth), so the ip address must be public.

So facing this problem, I start to think to insert a public IP address on the firewall WAN, but the router already has a public IP, so the only way is to bridge the router...or not?How can I public firewall without modify today's NAT configuration?

Thanks in advance

BR

Mirza Cutuk · ‎12-23-2011

Comes down to a type of connection. If there is a pppoe session based, you are forced to use NAT.

stefanotiburzi · ‎12-26-2011

So, I have to talk with the provider..this is an ADSL line, but I don't know exacltly if is pppoe or pppoa...is it possible to see from router config?Why I need nat over pppoe?

flokki123 · ‎12-27-2011

hi,

you could also do a port forwarding from the cisco to the netgear. ssl should be port 443, so if you forward this port to the lan ip of the netgear you should be fine. so if you connect from outside to the public ip of the cisco via ssl the router should forward this query to the netgear.

florian

stefanotiburzi · ‎12-27-2011

the problem is that if I do a port forwarding on 443, I connect on firewall https://192.168.x.x, but I need to forward the connection to https://192.168.x.x/SSLportal

flokki123 · ‎12-27-2011

but both the portal and the GUI are reachable via https(443), to choose between the two options you just would have to enter the right URL in your browser.

if you want to reach the GUI enter https://ip and for the SSL VPN page enter https://ip/portal_name.

on the netgear is a webserver running reachable via https. with the url you can tell the netgear which site on the webserver you want to reach and as long port 443 is forwarded to the netgear you should be fine.

florian

stefanotiburzi · ‎12-27-2011

often the simplest things are the right ones!that is correct, it works!!now I have a problem with activex, but is another thing...thanks a lot

Bye

stefanotiburzi · ‎12-27-2011

For Mirza:

from the cisco router configuration:

interface ATM0/0/0.1 point-to-point

pvc 8/75

  encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/1/0.1 point-to-point

pvc 8/75

  encapsulation aal5mux ppp dialer

dialer pool-member 2

that means PPPoA, right?