?
Solved

T1 Network Configuration

Posted on 2006-04-09
5
Medium Priority
?
318 Views
Last Modified: 2010-04-17
OK.. We are upgrading to a T1 From Cable with 1 static IP address. We now have 8 public IP addresses.
This is the hardware I already have to work with.

Cisco Pix 506E
1 2003 Exchange server as a member server
1 2003 standard server as the DC
We also have 2 dvrs that will need to be on the public network for remote viewing.

0
Comment
Question by:lvcg
  • 2
  • 2
5 Comments
 
LVL 20

Expert Comment

by:calvinetter
ID: 16412500
PIX only supports ethernet connections, so your ISP would need to be "handing off ethernet" to your PIX via a router/bridge unit (such as an Adtran) or a router with a T1 card & an ethernet LAN interface to connect to your PIX.
  What specifically are you needing help with? The T1 part of it, setting up port forwarding to your servers/DVRs or both?

cheers
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16413560
For your T1 connection, you're going to need a T1 CSU/DSU and a router.
Suggest either a Cisco 1800 series with WIC1-DSU-T1V2, or Adtran 3200 with T1 DSU
One of these will sit outside your PIX FW to terminate the T1. Alternative is to have the Telco provide the router and DSU.

How do you do public viewing of the DVR's? Via IP connection? Streaming? Other?
0
 

Author Comment

by:lvcg
ID: 16414680
They have provided the Adtran and the ethernet portion. I guess the question is the safest way to set this up. Right now I can plug in the Adtran to the ethernet switch and setup any device with any of the 8 IP addreses, but I am worried about plugging in the adtran to my switch for security reasons.

This is what I am thinking...

I do not have a managed switch for V-lans, so I am thinking about  a stand alone swith for the public IP addresses, Place the Pix between the switch with the public IPs and place another switch on the private side of the PIX for securing the internal network and then plug in my DVR that can reside on the public switch?

Is this a secure method? If so, should I also place the exchange on the private side and just open the appropriate ports for the exchange?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16416297
Yes, that is the most logical configuration.
switch -- pix -- switch --
If you know what ports/protocols the DVR uses it too can be behind the PIX with a static 1-1 nat and you won't need that extra switch. Just use a crossover cable between the Adtran Ethernet port and your PIX outside.
Yes, bring everything you can behind the PIX and only open the required ports.
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 2000 total points
ID: 16416997
Agree w/ lrmoore - it's best to keep everything (incl Exchange) protected behind the PIX, & a crossover cable directly between the Adtran & PIX will avoid anything being plugged in outside the PIX.  Sounds as if this is a new PIX install?  If so, below is an example for a basic setup, incl port forwarding for Exchange & DVRs.

  We'll assume the following for the sake of our example:
public IP block: 77.1.1.x 255.255.255.248 (valid IPs: .1-.6)
ISP default gateway: 77.1.1.1
LAN behind PIX: 192.168.3.x 255.255.255.0
Exchange: 192.168.3.10 (to be accessed via 77.1.1.3)
DVR-1: 192.168.3.11  (to be accessed via 77.1.1.4 on TCP port 80)
DVR-1: 192.168.3.12  (to be accessed via 77.1.1.5 on TCP port 80)

  Run this on the PIX:
no fixup protocol smtp 25  <- must have this for Exchange to work properly
ip address outside 77.1.1.2 255.255.255.248
ip address inside 192.168.3.1 255.255.255.0  <- default gateway for Exchange & other inside hosts
route outside 0 0 77.1.1.1
static (inside,outside) 77.1.1.3 192.168.3.10
static (inside,outside) 77.1.1.4 192.168.3.11
static (inside,outside) 77.1.1.5 192.168.3.12
nat (inside) 1 0 0
global (outside) 1 interface
access-list inbound permit icmp any any echo-reply  <- so outbound pings work; optional but great to have
access-list inbound permit tcp any host 77.1.1.3 eq 25
access-list inbound permit tcp any host 77.1.1.3 eq 110  <- if allowing POP3 to Exchange
access-list inbound permit tcp any host 77.1.1.3 eq 143  <- if allowing IMAP to Exchange
access-list inbound permit tcp any host 77.1.1.3 eq 443  <- if using OWA via https
access-list inbound permit tcp any host 77.1.1.4 eq 80    <- access to DVR-1
access-list inbound permit tcp any host 77.1.1.5 eq 80    <- access to DVR-2
access-group inbound in interface outside
clear xlate
write mem

You'll control what port(s) are open to the DVR's & Exchange by modifying the 'inbound' ACL; modify or add lines as needed, then re-apply the ACL to the interface after making changes:
   access-group inbound in interface outside
If you still need help with the PIX config, post your current complete but "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, don't mask private IPs like 10.x.x.x, 192.168.x.x, etc).

cheers
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question