Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Network LayOut Question...

Status
Not open for further replies.
franksoprano

franksoprano

Technical User
Joined
Apr 13, 2002
Messages
249
Location
US
I have the following:

Cable Modem Internet Connection
Pix 501 FireWall
2514 Cisco Router
1924 Catalyst Switch
3 Pc's
1 Risc Server....

I want to be able to access the server from remote locations/web....

How sould i set my network up?

Thanks
 
Sort by date Sort by votes
internet--cablemodem--PIX---router----switch---LAN Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Thanks! How will I hang the server onto the Internet?
 
Upvote 0 Downvote
2 ways...

punch a static NAT mapping through the PIX and PAT through the router.. I actually do this myself.. or 2nd way that I do it is this:

internet---cablemodem---PIX---HUB---Router---

Notice the hub between the PIX and the router? This makes a poor man's DMZ. On the PIX 501 there are already 4 switchports that you can choose from.

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
What about the switch? What do i have to enable on the switch for that?

Also, what would be the difference if I set it up like this: internet--cablemodem--router--switch--pix--pc's
|
|
Server

Thanks Again!
 
Upvote 0 Downvote
the router could be overwhelmed by stuff like a DOS attack. The PIX should be first to provide the majority of filtering and protection. The router behind the PIX would also add a layer of protection by access-lists and such. This is not cast in stone though.. I can just as easily argue the other way and have be convincing ;-) The only time I can see that you need a router in front of the PIX is when you either have a routing protocol lke OSPF/BGP being used(PIX does not talk routing protocols) You can only add static routes. The second time would be to have a large amount of traffic and you want to split it up before it gets tossed to the PIX and wherever else it's going. If you go to the PIX Forum here, I am sure you can get better advice about this aspect from the PIX experts.

I block whole ranges of IPs after I found a very high number of scans/attacks coming from Korea so Every IP assigned to Korea is blocked. I do not have any business internationally so it's not a issue. I also block all private IPs coming IN to the router from the internet. I know a bank that is only based in CA so they block EVERYTHING overseas.

I'm not sure I understand the question about the switch. You dont need to do a thing for it work. In order to telnet to it, all you need to set up the IP and default gateway.


MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Mike I appologize I wasnt clear in my post, partially due to being up late after working 16hours :-) .... Ok what I was talking about is:

I have 1 server that I want to be accessible via the internet.. so you recommend laying out the network like this:

internet--cablemodem--pix--router--lan

so do I just plug everything into the switch and handle it all from there software wise? So i would have to make a rule in the pix to allow access and a accesslist through the router to the swtich to a specific port/address on the switch?

Thanks!
 
Upvote 0 Downvote
Sorry-- I lost track of this thread [blush]

Yes.. the pix will do the lions share of filtering. The router will handle mutiple subnets and some fine tuning of what comes in and out. I highly recommend a hub or use the PIX ethernet ports as a cheapo DMZ between the PIX and Router.

You will end up with a couple of static NATs. The first NAT will take the incoming packet on the public IP and NAT it to the inside IP range.. this packet then goes to the router and gets NATed yet again but with a static map that points it to a specific IP/port combo.

packet---Globaloverload-outside--PIX--inside---hub---GlobaloverloadE0--Router--StaticNATE1-------Server1

66.55.70.1-PIX-192.168.1.100----192.168.1.101-Router-10.10.10.1---10.10.10.100


Hopefully this stuff will layout ok on the reading.

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
518
DavetheChef
DavetheChef
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
572
Luzbel
Luzbel
Zero6
  • Locked
  • Question Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
499
Zero6
Zero6
Mogles49
  • Locked
  • Question Question
Firewall ACL question
Replies
1
Views
352
burtsbees
burtsbees
CDIV
  • Locked
  • Question Question
Help me build a network
Replies
1
Views
335
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top