Firewall - Proper setup for servers with public AND private IPs

Posted on 2008-11-12
Last Modified: 2012-05-05
I have several servers that do filesharing / webserving on my private network AND do webserving on the internet with public IPs.  I can think of several ways to do this, but I want to know the proper / best way as far as security.  This is a from-scratch retool of my network so pretty much anything goes as long as it uses my current hardware.

Hardware is a Cisco 2600 router running VLANs to an HP switch.  One VLAN is the private network doing NAT and one is my public subnet.

I would like to be able to access the webservers from inside and out using the same DNS names.


1) Put two network cards in the servers so they can have IPs on BOTH networks.  The ACLs of my firewall could control security pretty easy.

2) Put the servers in the private network and do port forwarding or statically map the public IPs to the private IPs.

3) Setup the servers with just public IPs and configure things so the local filesharing works, but block filesharing on the internet side.

I'm interested in the quick pros and cons of each setup.  

Question by:ctarbet
    LVL 13

    Accepted Solution

    Depending on what specific hardware and IOS you're running...

    The best solution is to put the webservers in a DMZ with the following ACLs:
    Inside -> Outside             Normal internet access
    Inside -> DMZ                  Unrestricted access
    Outside -> Inside             No access
    Outside -> DMZ               Web access only
    DMZ -> Outside               Normal internet access
    DMZ -> Inside                  No access

    The IP addresses you use in the DMZ should be non-routeable (private i.e. Use static NAT to map servers to public IP (with appropriate ACLs).

    If your IOS doesn't have the firewall feature set, just create a separate VLAN for the DMZ and implement the ACLs described above.

    Author Comment

    Is it really necessary to set up the DMZ with a private network?  Isn't it just as good to let the servers run public IPs and lock down the incoming access to web traffic only?  I guess I don't see the difference between doing the static NAT and not doing it seems how the ACL is going to be the same in either case.

    Thanks, though.  That is exactly what I wanted.
    LVL 13

    Expert Comment

    You can use public IPs, nothing wrong with that.
    I'm just a little more security-concious than most.
    Less chance of exposing your servers if your ACLs are mis-configured.
    Using non-routeable IPs is best practice.

    Author Comment

    Thanks.  It's hard to tell sometimes where the line between good practice and paranoid delusion lies.  Not to imply you are paranoid or anything... :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now