policy-based routing with cisco 1811
Hi
I'm working on a cisco 1811/k8 with 2x fe ports and 8 built-in ports.
the diagram will explain more than my word.
fe0 has public IP 64.62xxxx. Our DNS point domain.com to this IP.
vlan1 has 2 load-balanced web servers and being NAT'd to fe0.
fe1 has public IP 65.49xxxx. Our DNS point sub1.domain.com to this IP
vlan2 has 1 web server, 1 ftp server and being NAT'd to fe1.
I'd like to setup PBR so that HTTP requests to http://www.domain.com and http://sub1.domain.com can be processed by appropriate web servers.
I came up with an IOS version for this task, but have not tested it yet since the router is uplinked.
(simply change ip route statement)
Can you please show me how to achieve this task correctly?
thanks so much!
I'm working on a cisco 1811/k8 with 2x fe ports and 8 built-in ports.
the diagram will explain more than my word.
fe0 has public IP 64.62xxxx. Our DNS point domain.com to this IP.
vlan1 has 2 load-balanced web servers and being NAT'd to fe0.
fe1 has public IP 65.49xxxx. Our DNS point sub1.domain.com to this IP
vlan2 has 1 web server, 1 ftp server and being NAT'd to fe1.
I'd like to setup PBR so that HTTP requests to http://www.domain.com and http://sub1.domain.com can be processed by appropriate web servers.
I came up with an IOS version for this task, but have not tested it yet since the router is uplinked.
(simply change ip route statement)
Can you please show me how to achieve this task correctly?
thanks so much!
!!!2 NAMESERVERS PROVIDED BY ISP
ip name-server 65.19.175.2
ip name-server 216.218.196.2
!!
ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network
ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network
!!THIS RULE WILL ALLOW OUTBOUND CONNECTIONS FROM MY INTERNAL NET
ip inspect name firewall http
ip inspect name firewall https
.........
!
interface FastEthernet0
ip address 64.62.240.66 255.255.255.240
ip access-group inbound0 in
ip nat outside1
ip inspect firewall out
ip virtual-reassembly
shutdown
speed auto
full-duplex
!
interface FastEthernet1
ip address 65.49.22.194 255.255.255.224
ip access-group inbound1 in
ip nat outside2
ip inspect firewall out
ip virtual-reassembly
speed auto
full-duplex
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside1
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside2
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
!
!
no ip http server
no ip http secure-server
ip nat pool LocalNet1 64.62.240.66 64.62.240.66 prefix-length 24
ip nat pool LocalNet2 65.49.22.194 65.49.22.194 prefix-length 24
ip nat inside source list 1 pool LocalNet1 overload
ip nat inside source list 2 pool LocalNet2 overload
ip nat inside1 source static tcp 192.168.0.80 80 interface FastEthernet0 80
....MORE NAT RULES HERE
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
!
ip access-list extended inbound0
permit tcp any host 64.62.240.66 eq www
permit tcp any host 64.62.240.66 eq ftp
permit tcp any host 64.62.240.66 eq ftp-data
permit tcp any host 64.62.240.66 eq 443
permit tcp any host 64.62.240.66 eq smtp
permit tcp any host 64.62.240.66 eq 3389
permit tcp any host 64.62.240.66 eq 3390
permit tcp any host 64.62.240.66 eq 3391
permit tcp any host 64.62.240.66 eq 3392
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip 172.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 7.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny tcp any host 64.62.250.66 log
deny udp any host 64.62.250.66 log
!
!
!
ip access-list extended inbound1
permit tcp any host 65.49.22.194 eq www
permit tcp any host 65.49.22.194 eq ftp
permit tcp any host 65.49.22.194 eq ftp-data
permit tcp any host 65.49.22.194 eq 3389
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip 172.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 7.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny tcp any host 65.49.22.194
deny udp any host 65.49.22.194
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1.
When a pc from either Vlan1 or Vlan2 want to access the internet, the Cisco router can tell which Vlan needs to go out which FastEthernet because of the "ip nat source list" command.
2.
NAT is a defence in itself, and Cisco are very much established in networking so their NAT engine will be secure. NAT basically only allows your local computers to access internet resources... Internet "hackers" cannot initiate an attack on your
In any case, your ACLs that I removed didn't do much, because you were blocking address ranges that do not exists on the internet - only in private LAN's that would never be found on the WAN side of your router.
""
deny ip 192.168.0.0 0.0.255.255 any log <-- Private LAN range, not required.
deny ip 0.0.0.0 0.255.255.255 any log <-- Bad syntax
deny ip host 255.255.255.255 any log <-- this would kill broadcasts, not particularly necessary.
deny ip 172.0.0.0 0.255.255.255 any log <-- Private LAN, actually blocks some real world IPs as well.
deny ip 224.0.0.0 15.255.255.255 any log <-- Multicast, not required
deny ip 240.0.0.0 7.255.255.255 any log <-- As above
deny ip 10.0.0.0 0.255.255.255 any log <-- Private LAN
deny ip 172.16.0.0 0.15.255.255 any log <-- Private LAN
""
As long as your web servers are up to date, with AV etc... and your port forwarding isn't out of control you don't have much to worry about.
When a pc from either Vlan1 or Vlan2 want to access the internet, the Cisco router can tell which Vlan needs to go out which FastEthernet because of the "ip nat source list" command.
2.
NAT is a defence in itself, and Cisco are very much established in networking so their NAT engine will be secure. NAT basically only allows your local computers to access internet resources... Internet "hackers" cannot initiate an attack on your
In any case, your ACLs that I removed didn't do much, because you were blocking address ranges that do not exists on the internet - only in private LAN's that would never be found on the WAN side of your router.
""
deny ip 192.168.0.0 0.0.255.255 any log <-- Private LAN range, not required.
deny ip 0.0.0.0 0.255.255.255 any log <-- Bad syntax
deny ip host 255.255.255.255 any log <-- this would kill broadcasts, not particularly necessary.
deny ip 172.0.0.0 0.255.255.255 any log <-- Private LAN, actually blocks some real world IPs as well.
deny ip 224.0.0.0 15.255.255.255 any log <-- Multicast, not required
deny ip 240.0.0.0 7.255.255.255 any log <-- As above
deny ip 10.0.0.0 0.255.255.255 any log <-- Private LAN
deny ip 172.16.0.0 0.15.255.255 any log <-- Private LAN
""
As long as your web servers are up to date, with AV etc... and your port forwarding isn't out of control you don't have much to worry about.
NOTE:
I mentioned that it would load balance, this isn't correct as both the WAN interfaces are NAT OUTSIDE interfaces (Routes are governed by that command "ip nat source list").
I mentioned that it would load balance, this isn't correct as both the WAN interfaces are NAT OUTSIDE interfaces (Routes are governed by that command "ip nat source list").
ASKER
sorry for the late replies! grad school is killing me lolzz..
so, overall, I can just keep my old configuration plus the editing that you suggested right?
The "deny" commands I used are to prevent IP spoofing. what do you think/
thanks!!
so, overall, I can just keep my old configuration plus the editing that you suggested right?
The "deny" commands I used are to prevent IP spoofing. what do you think/
thanks!!
ASKER
I was able to try out the new setup today.
Vlan1 seems to be working okay.
But vlan2 doesn't work so well. I cannot ping vlan2 interface from the router itself.
So I switch to use vlan1 instead, but with 2 statements of "ip route" the router seems to be confused. Thus, connection is really slow, unless i removed one of the "ip route" statements.
Can you help??
thanks!!
Vlan1 seems to be working okay.
But vlan2 doesn't work so well. I cannot ping vlan2 interface from the router itself.
So I switch to use vlan1 instead, but with 2 statements of "ip route" the router seems to be confused. Thus, connection is really slow, unless i removed one of the "ip route" statements.
Can you help??
thanks!!
interface FastEthernet0
ip address 209.172.108.20 255.255.255.224
ip nat outside
ip inspect firewall out
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
ip address 209.172.108.194 255.255.255.248
ip nat outside
ip inspect firewall out
ip virtual-reassembly
speed auto
full-duplex
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
!!209.172.108.1 is gateway for network of 209.172.108.1/30
ip route 0.0.0.0 0.0.0.0 209.172.108.1
!!193 is gateway for network of 209.172.108.194/30
ip route 0.0.0.0 0.0.0.0 209.172.108.193
ASKER
I have couple question though
1. when you put gateway as "ip route 0.0.0.0. 0.0.0.0. xxxxxxx", will it confuse the router? i.e. packet will know which route to follow?
2. NAT doesn't provide any mean of protection right? that's why I added ACL.
thanks again for any info!