Solved

Route customers trough central firewall

Posted on 2007-04-05
11
409 Views
Last Modified: 2013-11-16
Hello !!
Is there someone who could explain me or give me the best suggestion about "how to route customers trought a Central firewall solution such as ASA" ?? Does it mean that all of these customers need to be in our network or they can use another ISP and than we create VRF or how ??

I need some spet-by-step suggestion how to accomplish this on the best way. Than we will administer their access trough our firewall. Which technology is usually used in this case ?

Thank You
Best regards
Steve
0
Comment
Question by:Steve_I
  • 6
  • 5
11 Comments
 
LVL 8

Expert Comment

by:Brain2000
ID: 18873535
If you want to funnel customers through a VRF, then they will need something VRF compatible, such as a Cisco router, at their location.  Are you looking to bring in your remote customers to your local LAN using VRF?  Is so, there are articles on Cisco's website that describe this process, such as:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad1.html#wp1027258

If you are just looking to allow customers to hit your website through port 80, then you don't need VRF.  You can configure Cisco to block everything but incoming port 80, and redirect that through NAT to a particular internal server.

More information is needed though to make a better response.  Please provide information about how your customers must interface with your office, what applications they will be accessing remotely, what information you must collect from them remotely, what hardware you have already purchased, or are you thinking of making a purchased based on this information?
0
 
LVL 8

Expert Comment

by:Brain2000
ID: 18873541
Oh, I forgot something.  In order to actually do the route from your customers through a firewall, you will need to have a domain registered, along with DNS.  It is this DNS that gives your customers the ability to get to your incoming internet connection with a domain name.  For example, if you want to download something from Microsoft, you open your web browser and typehttp://www.microsoft.com.  This looks up their numbers, gets their internet IP address, and hooks you to them.  Your customers will do the same to you.  At that point, the first piece of hardware you should have set up right after your internet connection is the firewall.
0
 

Author Comment

by:Steve_I
ID: 18873559
Hello Brain !!

Thank You very much for reply, I will now read trough the article You sent me.

<<Are you looking to bring in your remote customers to your local LAN using VRF?>>
    I AM NOT 100 % SURE WHAT IS THE BEST WAY TO DO SO, SO I NEED A SUGGESTION, BUT I
    TOUGH THAT VRF IS USUALLY USED IN THIS CASE ?? THERE IS NO TALK ABOUT THE WEB
    INTERNAL WEB SERVER ACCESS, BUT JUST ROUTE THEM TROUGH CENTRAL FIREWALL SO THEY
    ARE PROTECTED WHOLE TIME. BUT THE QUESTION IS DE THEY NEED TO GET THE INTERNET
    ACCESS FROM US IN THIS CASE OR THEY CAN HAVE ANOTHER ISP PROVIDER ??
   BECAUSE MANY COMPANIES HAVE THE CISCO ROUTERS WITH STATIC IP ADDRESS FROM ANOTHER ISP, AND WE WILL ROUTE THEM TROUGH OUR CENTRAL FIREWALL, POSSIBLE ??

Thank You again !!
Best regards
Steve
0
 
LVL 8

Accepted Solution

by:
Brain2000 earned 500 total points
ID: 18873634
I will take from the answer that you want your customers to have access to your LAN through VRF.  Your customers could set up their Cisco routers so that internet access will go through their own ISP provider, but if they want to hit your LAN, the router will send it through the established VRF.  That way, you do not need to provide them with internet access.

The companies that have static IP addresses are easier and safer to route through the firewall, because you can put exceptions in for only their addresses.  Then, they can establish a VRF through the firewall, and access your network remotely.

If both you and your customers have static IP addresses, you won't need DNS to get them to your router/firewall, only your IP address.  You can configure your firewall to allow their IP address through via an access-list, and then configure their Cisco router to connect to you via VRF.
0
 

Author Comment

by:Steve_I
ID: 18874934
Well this description and suggestion looks very good. But in this case are these customers than protected from the INTERNET via the central firewall or ?? only from another customers that are going trough the same central firewall ??

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 8

Expert Comment

by:Brain2000
ID: 18879076
Once a customer's office has established a connection to your office, that customer can now potentially receive attacks from both the internet, and your network.  Therefore, your firewall will protect them from outside attacks coming from you.  However, make sure your firewall/router also has rules to limit them to only the ports they need.  You have to make sure that YOU are protected from your customers in case they get attacked from elsewhere, and it tries to spread to you.

You should protect yourself from the internet, yourself from your customers, and your customers from yourself.  You shouldn't have to protect your customers from the internet... unless they are paying you to do so and you have full access to their routing/firewall equipment.
0
 

Author Comment

by:Steve_I
ID: 18880660
You where very near the answer, what I am thinking about is :

Can we use central firewall to protect the users from the "internet" I know that we need to protect us from the customers and protect them from other customers and so... But can we protect them from the INTERNET without the configurations on their equipments ?? just route their internet traffic trough our firewall ?? Because they wolud also like if we could protect them from the internet too, but not just from other customers and so..... ?
0
 
LVL 8

Expert Comment

by:Brain2000
ID: 18911567
If you want to keep the customers seperate, you can set up access-lists that will deny access through the firewall between IP addresses.  For example, if one customer is connected with IP 1.2.3.4, and another customer is connected with IP 2.3.4.5, you can set an ip access-group filter on the interface to keep IP addresses in the 1.2.3.4 range from targetting 2.3.4.5, and vice versa.

If you want to host your customer's internet bandwidth at your location, it can be done, but it may become expensive and the benefits may not be worthwhile, versus just having their own routers set up correctly to protect them.  They will have to send ALL of their outbound traffic to your network, then you will have to retransmit their internet destined traffic back outbound to the internet, then receive the reply back from the internet, and then transmit the reply to your customer.  Keep in mind that for every one byte they send/receive, you will have to send/receive two bytes.  And while your firewall can protect your customers from some attacks, it will probably not protect them from malicious website scripts.  Since the web is usually browsed through port 80, and some websites contain exploits targetting web browsers through Javascript/ActiveX, which a firewall will not block (unless it has some type of heuristic javascript checker, does such a thing exist?  oops, there's a can of worms).  So I would recommend that your customers also run some kind of Antivirus/Antispyware, such as Symantec Corporate Antivirus 10.x (this can be set up to silently push install).

I just thought of something else you might need to know.  If your internet bandwidth resides the same router interface as the one your customers are hooked into, that you will have to incorporate a technique called "NAT on a Stick" in order to receive a packet from a customer, NAT it to a public IP address, and send it back out on the same physical interface.  If you google search "NAT on a Stick", you'll find Cisco's documentation on how to set that up using a loopback interface.  Keep in mind that this technique uses a routing policy, which when triggered, uses PROCESS SWITCHING instead of fast or cisco express forwarding switching techniques.  Process switching requires more CPU usage than other techniques, so make sure you have a big beefy router and a lot of bandwidth if you have a lot of customers.  You can see how much CPU usage your Cisco router is taking over a 72 hour period using the "show processes cpu history" command.
0
 

Author Comment

by:Steve_I
ID: 18918697
Hello again !!!

Thank You very muxh for very great explanation !!!!!I really appreciate it !!!!!!
I think I understand what You mean. We have 4 Fiber optic to the internet, so there is no problem with bandwidth for the customers. The worse is to find which solution is the best to use. But I`ll reade more than twise You explanation, so I fill try find out what is the best to do.

Again thank You very much !!!
Best regards
Steve
0
 
LVL 8

Expert Comment

by:Brain2000
ID: 18936828
Sounds like you do have a lot of portential bandwidth going on.  Are you starting an ISP up?  If so, I would highly recommend having someone Cisco certified with ISP experience consult to help with the layout and setup of all the customers and the securities in case you run into other gotchas during the setup phase.  And the rate-limiting.  And accounting.  And BGP sessions.....
0
 

Author Comment

by:Steve_I
ID: 18937013
Yes You have right, I`ll start the ISP (wireless for customers) and the most important thing in this case is to set up the BGB router correctly. But if You have a little time to spend I would be very happy if You could give me more info what is exactly needed, because I will not begin before I have all needed informations. Now as I told You the fiber optic is not a problem that is allready ready in the place.

Thank You very much for helping !!!!
Best regards
Steve
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now