T1 Network Configuration

OK.. We are upgrading to a T1 From Cable with 1 static IP address. We now have 8 public IP addresses.
This is the hardware I already have to work with.

Cisco Pix 506E
1 2003 Exchange server as a member server
1 2003 standard server as the DC
We also have 2 dvrs that will need to be on the public network for remote viewing.

lvcgAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

calvinetterCommented:
PIX only supports ethernet connections, so your ISP would need to be "handing off ethernet" to your PIX via a router/bridge unit (such as an Adtran) or a router with a T1 card & an ethernet LAN interface to connect to your PIX.
  What specifically are you needing help with? The T1 part of it, setting up port forwarding to your servers/DVRs or both?

cheers
0
lrmooreCommented:
For your T1 connection, you're going to need a T1 CSU/DSU and a router.
Suggest either a Cisco 1800 series with WIC1-DSU-T1V2, or Adtran 3200 with T1 DSU
One of these will sit outside your PIX FW to terminate the T1. Alternative is to have the Telco provide the router and DSU.

How do you do public viewing of the DVR's? Via IP connection? Streaming? Other?
0
lvcgAuthor Commented:
They have provided the Adtran and the ethernet portion. I guess the question is the safest way to set this up. Right now I can plug in the Adtran to the ethernet switch and setup any device with any of the 8 IP addreses, but I am worried about plugging in the adtran to my switch for security reasons.

This is what I am thinking...

I do not have a managed switch for V-lans, so I am thinking about  a stand alone swith for the public IP addresses, Place the Pix between the switch with the public IPs and place another switch on the private side of the PIX for securing the internal network and then plug in my DVR that can reside on the public switch?

Is this a secure method? If so, should I also place the exchange on the private side and just open the appropriate ports for the exchange?
0
lrmooreCommented:
Yes, that is the most logical configuration.
switch -- pix -- switch --
If you know what ports/protocols the DVR uses it too can be behind the PIX with a static 1-1 nat and you won't need that extra switch. Just use a crossover cable between the Adtran Ethernet port and your PIX outside.
Yes, bring everything you can behind the PIX and only open the required ports.
0
calvinetterCommented:
Agree w/ lrmoore - it's best to keep everything (incl Exchange) protected behind the PIX, & a crossover cable directly between the Adtran & PIX will avoid anything being plugged in outside the PIX.  Sounds as if this is a new PIX install?  If so, below is an example for a basic setup, incl port forwarding for Exchange & DVRs.

  We'll assume the following for the sake of our example:
public IP block: 77.1.1.x 255.255.255.248 (valid IPs: .1-.6)
ISP default gateway: 77.1.1.1
LAN behind PIX: 192.168.3.x 255.255.255.0
Exchange: 192.168.3.10 (to be accessed via 77.1.1.3)
DVR-1: 192.168.3.11  (to be accessed via 77.1.1.4 on TCP port 80)
DVR-1: 192.168.3.12  (to be accessed via 77.1.1.5 on TCP port 80)

  Run this on the PIX:
no fixup protocol smtp 25  <- must have this for Exchange to work properly
ip address outside 77.1.1.2 255.255.255.248
ip address inside 192.168.3.1 255.255.255.0  <- default gateway for Exchange & other inside hosts
route outside 0 0 77.1.1.1
static (inside,outside) 77.1.1.3 192.168.3.10
static (inside,outside) 77.1.1.4 192.168.3.11
static (inside,outside) 77.1.1.5 192.168.3.12
nat (inside) 1 0 0
global (outside) 1 interface
access-list inbound permit icmp any any echo-reply  <- so outbound pings work; optional but great to have
access-list inbound permit tcp any host 77.1.1.3 eq 25
access-list inbound permit tcp any host 77.1.1.3 eq 110  <- if allowing POP3 to Exchange
access-list inbound permit tcp any host 77.1.1.3 eq 143  <- if allowing IMAP to Exchange
access-list inbound permit tcp any host 77.1.1.3 eq 443  <- if using OWA via https
access-list inbound permit tcp any host 77.1.1.4 eq 80    <- access to DVR-1
access-list inbound permit tcp any host 77.1.1.5 eq 80    <- access to DVR-2
access-group inbound in interface outside
clear xlate
write mem

You'll control what port(s) are open to the DVR's & Exchange by modifying the 'inbound' ACL; modify or add lines as needed, then re-apply the ACL to the interface after making changes:
   access-group inbound in interface outside
If you still need help with the PIX config, post your current complete but "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, don't mask private IPs like 10.x.x.x, 192.168.x.x, etc).

cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.