tssiva
asked on
Small ISP network Configuration
Hi All,
I need your help to resolve this network setup for a client.
Here is the current configuration:
1). Windows 2000 & Windows 2003 Servers in a server farm of 18 machines.
2). Dedicated T1 connectivity with a class "C" address space.
3). 2 domain controllers running windows 2000 with active directory integrated DNS with 7 member servers, and 2 domain controllers running windows 2003 with active directory integratged DNS with 7 members servers.
4). Domain controllers with integrated active directory based DNS act as the primary and secondary name servers for the hosted domains.
5). Member servers are running IIS,SQL and Mail. Each member server is multihomed with dedicated ip address for each domain hosted under the network.
6). They have some partnered companies that access their servers to updated application specific data, so they need remote desktop access to these servers time to time.
I have been asked to take care of this network and implement a firewall solution for it asap since they are experiencing network issues time to time. Past management people purchased a pix firewall 506E, but they never able to implement it.
Here are my questions;
1). If i were to move the existing network inside the Pix interface then, all address will be changed to private address and i can setup the pix to provide the NAT translation.
Thus, a public class 'c' address as 201.20.20.1 will translated to 10.20.20.1. If i do this, all the members server and domain controllers ip address will be changed to private address, since it's active directory integrated, that would change the DNS zones to point to private address and people in the internet will not be able to access it ? Can you apply DNS doctoring on this ? If so how would you setup that in the pix 506E. I am asking this based on what i read on this site.
2). What is the best recommended network design model for a similar network ?
3). Is PIX 506E is enough for this ?
4). Implementing VPN solution for partner access ?
5). What is the based way to migrate this to new network model with no down time ?
Since i am new to Cisco Pix products, it would be helpfull if you can provide more information as possible on the possible network designs and configurations !
If you have any questions, please kindly ask me, and i will clear up with much information as i can.
Thanks.
Siva.
I need your help to resolve this network setup for a client.
Here is the current configuration:
1). Windows 2000 & Windows 2003 Servers in a server farm of 18 machines.
2). Dedicated T1 connectivity with a class "C" address space.
3). 2 domain controllers running windows 2000 with active directory integrated DNS with 7 member servers, and 2 domain controllers running windows 2003 with active directory integratged DNS with 7 members servers.
4). Domain controllers with integrated active directory based DNS act as the primary and secondary name servers for the hosted domains.
5). Member servers are running IIS,SQL and Mail. Each member server is multihomed with dedicated ip address for each domain hosted under the network.
6). They have some partnered companies that access their servers to updated application specific data, so they need remote desktop access to these servers time to time.
I have been asked to take care of this network and implement a firewall solution for it asap since they are experiencing network issues time to time. Past management people purchased a pix firewall 506E, but they never able to implement it.
Here are my questions;
1). If i were to move the existing network inside the Pix interface then, all address will be changed to private address and i can setup the pix to provide the NAT translation.
Thus, a public class 'c' address as 201.20.20.1 will translated to 10.20.20.1. If i do this, all the members server and domain controllers ip address will be changed to private address, since it's active directory integrated, that would change the DNS zones to point to private address and people in the internet will not be able to access it ? Can you apply DNS doctoring on this ? If so how would you setup that in the pix 506E. I am asking this based on what i read on this site.
2). What is the best recommended network design model for a similar network ?
3). Is PIX 506E is enough for this ?
4). Implementing VPN solution for partner access ?
5). What is the based way to migrate this to new network model with no down time ?
Since i am new to Cisco Pix products, it would be helpfull if you can provide more information as possible on the possible network designs and configurations !
If you have any questions, please kindly ask me, and i will clear up with much information as i can.
Thanks.
Siva.
ASKER
Hi Cooledit,
Here are answers to your questions;
1). 255 public address ( entire class c address space )
2). There are two different companies, so each company used 2 domain cotrollers and 7 member servers.
Yes they all belong to the same subnet. Hosted clients don't have remote desktop access, only with partnered companies, according to them there two companies that managed the content of the web site. DNS server will shared for the hosted companies. Hosted site will have only access to www, email and sql database.
Here is a sample diagram
T1 connection ----> Swtich ---> Server Farm A
---> Server Farm B
Server Farm A
----------------- Domain: ABC.COM
1). Primary Active Directory Controller ip: 201.20.20.5
2) Secondary Active Direcotry Contoller ip: 201.20.20.6
3,4,5,6,7). Webserver - multihomed with each domain with unique ip
ex: aaa.com ---->201.20.20.100
aab.com---->201.20.20.101
* some of these web server running sql server.
8). Mail server - 201.20.20.12
All DNS for the sites hosted in the server 3 to 8 are hosted in 1,2.
Server Farm B
----------------- Domain: XYZ.COM
1). Primary Active Directory controller with active directory integraded DNS ip: 201.20.20.25
2). Secondary Active Directory controller with active direcotry integrated DNS ip: 201.20.20.26
3,4,5,6) Web servers multihomed with each domain with unique ip
ex: xxx.com -->201.20.20.201
xxy.com -->201.20.20.202
7,8). Mail Servers ip: 201.20.20.32, 201.20.20.33
All DNS for these sites are hosted in servers 3 to 6 are hosted in 1,2.
Now, extendting or changing this network based on recommandations with a Pix Firewall ?
So it will be some thing like this ?
201.20.20.x 10.20.20.x
T1 ---> Pix ---> switch --- > Server Farm A
--- > Server Farm B
How would this effect the integrateded active directory DNS ? Can we do DNS doctoring on the pix to make it work ? I am bit confused about this, and need a good solution that can be easily upgraded with minimum down time ? I hope this helps !
Here are answers to your questions;
1). 255 public address ( entire class c address space )
2). There are two different companies, so each company used 2 domain cotrollers and 7 member servers.
Yes they all belong to the same subnet. Hosted clients don't have remote desktop access, only with partnered companies, according to them there two companies that managed the content of the web site. DNS server will shared for the hosted companies. Hosted site will have only access to www, email and sql database.
Here is a sample diagram
T1 connection ----> Swtich ---> Server Farm A
---> Server Farm B
Server Farm A
----------------- Domain: ABC.COM
1). Primary Active Directory Controller ip: 201.20.20.5
2) Secondary Active Direcotry Contoller ip: 201.20.20.6
3,4,5,6,7). Webserver - multihomed with each domain with unique ip
ex: aaa.com ---->201.20.20.100
aab.com---->201.20.20.101
* some of these web server running sql server.
8). Mail server - 201.20.20.12
All DNS for the sites hosted in the server 3 to 8 are hosted in 1,2.
Server Farm B
----------------- Domain: XYZ.COM
1). Primary Active Directory controller with active directory integraded DNS ip: 201.20.20.25
2). Secondary Active Directory controller with active direcotry integrated DNS ip: 201.20.20.26
3,4,5,6) Web servers multihomed with each domain with unique ip
ex: xxx.com -->201.20.20.201
xxy.com -->201.20.20.202
7,8). Mail Servers ip: 201.20.20.32, 201.20.20.33
All DNS for these sites are hosted in servers 3 to 6 are hosted in 1,2.
Now, extendting or changing this network based on recommandations with a Pix Firewall ?
So it will be some thing like this ?
201.20.20.x 10.20.20.x
T1 ---> Pix ---> switch --- > Server Farm A
--- > Server Farm B
How would this effect the integrateded active directory DNS ? Can we do DNS doctoring on the pix to make it work ? I am bit confused about this, and need a good solution that can be easily upgraded with minimum down time ? I hope this helps !
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dawilliams, Thanks for the info. How would you congfigure the PIX 506E ?
Would you use the web interface or the console approach ?
Since i am new to this i would really appricate a detailed step approch to doing setup 1 ?
Thanks.
Would you use the web interface or the console approach ?
Since i am new to this i would really appricate a detailed step approch to doing setup 1 ?
Thanks.
telnet or ssh , the pdm usually breaks more than it fixes
I could help you configure the pix you mentioned the pix was not implemented is it online at all?
first step would be to configure the pix off line
if its online send along what is configured already and we'll look at it
from the command line type " sh ru"
then "sh ver"
paste the results
if its not online set it up and use the terminal cable from the host pc use hyperterminal or telnet into it and then do the commands above and paste the results
you dont have to plug ant ethernet cable to it just the terminal cable for now.
I could help you configure the pix you mentioned the pix was not implemented is it online at all?
first step would be to configure the pix off line
if its online send along what is configured already and we'll look at it
from the command line type " sh ru"
then "sh ver"
paste the results
if its not online set it up and use the terminal cable from the host pc use hyperterminal or telnet into it and then do the commands above and paste the results
you dont have to plug ant ethernet cable to it just the terminal cable for now.
ASKER
Ok,
I have added the pix into one of the free ip and set it up through the PDM. Since i am learning i want to see how it works.
Here is the output;
==========================
pixfirewall# sh ver
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
pixfirewall up 3 mins 8 secs
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0014.6a66.e26d, irq 10
1: ethernet1: address is 0014.6a66.e26e, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 809222482 (0x303bc152)
Running Activation Key: 0xc1d5856a 0x74d099b0 0x59d93f14 0x61a3086e
Configuration has not been modified since last system restart.
pixfirewall#
pixfirewall# sh ip
System IP Addresses:
ip address outside 219.147.10.22 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
Current IP Addresses:
ip address outside 219.147.10.22 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
pixfirewall# sh ur
Ambiguous command. Please enter more characters.
pixfirewall# sh ru
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 219.147.10.22 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 219.147.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.25
dhcpd dns 219.147.10.10 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
pixfirewall#
==========================
I haven't added any access rules or anything. Just put a external address and assigned a internal subnet, i was able to access the internet, that's all. If you can help with a config that would allow the above requirement would be nice. Also if you can provide me a step by step approach, i can try lean each configuration settings.
Thanks for you help.
Siva.
I have added the pix into one of the free ip and set it up through the PDM. Since i am learning i want to see how it works.
Here is the output;
==========================
pixfirewall# sh ver
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
pixfirewall up 3 mins 8 secs
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0014.6a66.e26d, irq 10
1: ethernet1: address is 0014.6a66.e26e, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 809222482 (0x303bc152)
Running Activation Key: 0xc1d5856a 0x74d099b0 0x59d93f14 0x61a3086e
Configuration has not been modified since last system restart.
pixfirewall#
pixfirewall# sh ip
System IP Addresses:
ip address outside 219.147.10.22 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
Current IP Addresses:
ip address outside 219.147.10.22 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
pixfirewall# sh ur
Ambiguous command. Please enter more characters.
pixfirewall# sh ru
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 219.147.10.22 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 219.147.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.25
dhcpd dns 219.147.10.10 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
pixfirewall#
==========================
I haven't added any access rules or anything. Just put a external address and assigned a internal subnet, i was able to access the internet, that's all. If you can help with a config that would allow the above requirement would be nice. Also if you can provide me a step by step approach, i can try lean each configuration settings.
Thanks for you help.
Siva.
ASKER
One more question, i do have a cisco support package service contract for this. I believe it's the basic one. Should need to upgrade the OS on the pix to 7.1 ? If so how would i do that ?
Thanks
Siva.S.
Thanks
Siva.S.
To be honest I'm not sure What differences there are but updateting is a matter of downloading a file and running the proper command , if you plan on updating to the 7.1 I suggest you do that first before we configure it then we'll work on the access rules.
ASKER
Ok, But i don't think i am going to do that. Since it requires me to upgrade the memory to atleast 64MB. Let's get this working then i can ask them to fund for new Pix 515E.
Siva.S
Siva.S
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a00805f060b.html#wp37875
check this link out your pix is not supported .
check this link out your pix is not supported .
ASKER
Ok, thanks for the info. I talk to the managment, but said can't afford to get a Pix 515E rightaway, so i have to use this for a while. Can you please provide me the setup to configure this device ?
Thanks
Siva.S.
Thanks
Siva.S.
Lets start with this
Do you have a dhcp server set up to handle the new 10.x.x.x. addresses and also you mentioned the servers have outside ips is this correct
this is what you could do do get the outside mapped to the inside if your sticking with the 10.20.20.x scheme
static (inside,outside) 201.20.20.32 10.20.20.32 netmask 255.255.255.255 0 0
this would allow web access
access-list outside_access_in permit tcp any host 201.20.20.32 eq www
this would alow rdp to the specific pc
access-list outside_access_in permit tcp 201.20.20.32 255.255.255.0 host x.x.x.x eq 3389
where x.x.x.x could be the wan ip address of a partner
Do you have a dhcp server set up to handle the new 10.x.x.x. addresses and also you mentioned the servers have outside ips is this correct
this is what you could do do get the outside mapped to the inside if your sticking with the 10.20.20.x scheme
static (inside,outside) 201.20.20.32 10.20.20.32 netmask 255.255.255.255 0 0
this would allow web access
access-list outside_access_in permit tcp any host 201.20.20.32 eq www
this would alow rdp to the specific pc
access-list outside_access_in permit tcp 201.20.20.32 255.255.255.0 host x.x.x.x eq 3389
where x.x.x.x could be the wan ip address of a partner
I would suggest the following scenario to you.
1. How many public IP addresses do you have ? Specify
2. How many different companies is at that specific location.
These servers you are mentioning are they all belonging to the same Subnet "company". Are all the hosted companies allowed to browse the whoile network "Security" issues. do you want to share a DNS server to all hosted companies inside.
If the internal companie's is not allowed to browse inside the doamin do people need to access these servers remote as you described.
I think in some way we need to make a network diagram of what your goals are and the objectivies.
Cooledit