Cisco/Check Point Infrastructure Design 5

[JoeBloggssss]

Hi,

I am starting out in the field of secure infrastructure deisgn. Could some one please give me details of the best practice setup of the network. In particular,

Intranet ----> FW-1 ----> Cisco Router
|
|
DMZ

What I am trying to understand is if I wanted to implement NAT of the FW-1, do give it a public address, would I also give server in DMZ requiring external access public IP and then use static translations. Do I give the router IPs and both serial 0 and fa0, would you get two seperate ranges???? I am looking for step-by-step design and IOS commands. I am new to this and just need to get a mental picture of the design.

Thanks for your time and help.


Christopher McGill
CCNA, MCP

 

[ChrisAC]

The firewall would generally have private RFC1918 addresses on its internal and DMZ ports so hosts on those networks would have addresses within those networks.

The external address of the firewall would have a live IP address and you would set up NAT on the firewall for the internal objects, 'hide' NAT for outgoing connections that require no inbound connections and 'static' NAT for servers that require inbound connections (mail, web, FTP etc.)

The router would have a live address on its LAN port to talk to the firewall and the WAN side could be a /30 link or maybe an unnumbered link, depending on how the WAN connection was implemented.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JoeBloggssss]

Hi Chris

I did abit more research.

I found that BT and C&W ISPs give you a different IP address for the router than the block you order for your servers in DMZ (ie web/ftp/mail). I have got this layout in my mind.


Public IP Public IP Range Allocated
Router -----------------> Firewall ------ DMZ 172.16
|
|
Intranet 192.168

The Firewall will have Hide NAT for Intranet hosts using the IP of the firewalls external IP, and use static NAT for the DMZ servers a public IP translation for each.

How does this sound?

 

[ChrisAC]

That sounds good. Generally you would be allocated a /30 for the link between your router and the ISP core router and then a range to use for your firewall/servers. So, for example, you may have a /29 or /28 range where the first usable address would be the Fastethernet port on the router (this is the default gw for the firewall), the second would be the firewalls external address (used for hide NAT connections) and then what is left over can be used for static NAT for servers.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JoeBloggssss]

Chris,

I am currently doing CCSA. I notice you already have it, I have CCSE and CCSE course material also Syngress Nokia book, etc. If any of this is useful. I always like to share. I work for a Cisco Gold Partner, so if you want any cisco software, online resources, give me a shout.

I am impressed with the default options in NAT Global Properties, handle routing and static MAC entry generation, saving time and energy.

 

[wirelesspeap]

ChrisMcGill2001,

You can have Private IP addresses on all interfaces of the firewall. This means RFC1918 IP addresses on the EXTERNAL interface of the firewall as well. If your ISP only give a /28 block of public IP addresses, dividing that up further would not make sense. That would eat up public IP addresses un-necessarily.

This is what I would do if I have a block of /28 public addresses:

1) Assign ALL /28 static IP to the router interface facing the ISP router,
2) Assign private ip addresses on both the inside interface of the router and the firewall,
3) Do static NAT and "hide" NAT (Cisco calls this PAT) on the router,
4) Implement policy on the firewall to allow inbound/outbound traffics, based on your company's requirements,

In this implementation, the router will handle NAT/PAT. Firewall does nothing but packet inspection. If you want to implement VPN on the firewall, you can "static" NAT the firewall external interface on the router. You can even do "PAT" from router to firewall for vpn as well. Either way, you can either terminate VPN (site-to-site or remote access) to either the router (vpnclient) or firewall (secureremote/client).

The reason I like this implementation is that later on, if you decicde to run some type of routing protocol over an IPSec tunnel, this is the way to do it. For example, later on, you want to connect via site-to-site vpn between your corp office and the remote office but you don't manage the remote office whenever a new network is added on the other side. The perfect way to do this is running either OSPF inside a GRE tunnel and encrypted all this via IPSec. This design is the way to go.

On the other hand, forget about what I just proposed if your router is not at least a Cisco 2600 with 64MB RAM and 16MB Flash. In that case, it is better to let the firewall handle everything and router just handle routing.

wireless
CCSE-NG Plus,
CCNP, CCSP

 

[JoeBloggssss]

Hi,

Thanks for design insight. I appreciate you sharing your experience. One the the reason I wanted to implement NAT on the firewall, was to tie in ISS RealSecure IDS, which is OPSEC certifed, and have in alter NAT rule base if alerts traped and block internal hosts. I know Cisco's IDS has a similar cpability with routers.