Firewall - Proper setup for servers with public AND private IPs

I have several servers that do filesharing / webserving on my private network AND do webserving on the internet with public IPs.  I can think of several ways to do this, but I want to know the proper / best way as far as security.  This is a from-scratch retool of my network so pretty much anything goes as long as it uses my current hardware.

Hardware is a Cisco 2600 router running VLANs to an HP switch.  One VLAN is the private network doing NAT and one is my public subnet.

I would like to be able to access the webservers from inside and out using the same DNS names.


1) Put two network cards in the servers so they can have IPs on BOTH networks.  The ACLs of my firewall could control security pretty easy.

2) Put the servers in the private network and do port forwarding or statically map the public IPs to the private IPs.

3) Setup the servers with just public IPs and configure things so the local filesharing works, but block filesharing on the internet side.

I'm interested in the quick pros and cons of each setup.  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Depending on what specific hardware and IOS you're running...

The best solution is to put the webservers in a DMZ with the following ACLs:
Inside -> Outside             Normal internet access
Inside -> DMZ                  Unrestricted access
Outside -> Inside             No access
Outside -> DMZ               Web access only
DMZ -> Outside               Normal internet access
DMZ -> Inside                  No access

The IP addresses you use in the DMZ should be non-routeable (private i.e. Use static NAT to map servers to public IP (with appropriate ACLs).

If your IOS doesn't have the firewall feature set, just create a separate VLAN for the DMZ and implement the ACLs described above.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ctarbetAuthor Commented:
Is it really necessary to set up the DMZ with a private network?  Isn't it just as good to let the servers run public IPs and lock down the incoming access to web traffic only?  I guess I don't see the difference between doing the static NAT and not doing it seems how the ACL is going to be the same in either case.

Thanks, though.  That is exactly what I wanted.
You can use public IPs, nothing wrong with that.
I'm just a little more security-concious than most.
Less chance of exposing your servers if your ACLs are mis-configured.
Using non-routeable IPs is best practice.
ctarbetAuthor Commented:
Thanks.  It's hard to tell sometimes where the line between good practice and paranoid delusion lies.  Not to imply you are paranoid or anything... :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.