Cisco router - 2 interfaces on same subnet?
At our "primary" location, our company uses access-control lists on our perimeter Cisco router to reduce all incoming traffic to just the ports required for our DMZ servers. Inside that we use a SonicWall UTM appliance for IPS, anti-virus, etc. (PLEASE don't get hung up on the "why" of this approach)
At a remote location, we would like to use the same approach. However, we are prohibited from configuring the perimeter Cisco router that was provided by our ISP. So we currently have their Cisco 2600 series router (no access-list restrictions in place at all), then the SonicWall. Our hope is to place another Cisco 2600 series router (with access lists) between the current Cisco and the SonicWall. Our concerns center on the routing& how to get that Cisco to pass traffic when both interfaces are within the same subnet.
The current perimeter Cisco has a public IP of x.x.x.17 (255.255.255.240)
The SonicWall interface has a public IP of x.x.x.18 (same subnet)
The SonicWall uses NAT to convert the remainder of our public addresses (.19 through .30, though only .28 through .30 are currently used) to our private addresses.
How would the Cisco "middleman" be configured to properly pass traffic between the current Cisco and the SonicWall ?
At a remote location, we would like to use the same approach. However, we are prohibited from configuring the perimeter Cisco router that was provided by our ISP. So we currently have their Cisco 2600 series router (no access-list restrictions in place at all), then the SonicWall. Our hope is to place another Cisco 2600 series router (with access lists) between the current Cisco and the SonicWall. Our concerns center on the routing& how to get that Cisco to pass traffic when both interfaces are within the same subnet.
The current perimeter Cisco has a public IP of x.x.x.17 (255.255.255.240)
The SonicWall interface has a public IP of x.x.x.18 (same subnet)
The SonicWall uses NAT to convert the remainder of our public addresses (.19 through .30, though only .28 through .30 are currently used) to our private addresses.
How would the Cisco "middleman" be configured to properly pass traffic between the current Cisco and the SonicWall ?
The router man in the middle is not viable. Can you use the SonicWall UTM to do the port access along with the NAT? The other option would be to set up the router with the old subnet on one side and a new one on the other and use it to do the NAT instead of the SonicWall UTM.
Will the ISP make changes to their 2600 at your request? If so, you could use a /30 (public or private) between their 2600 and your "outside" interface of the 2600. You could then use the x.x.x.16/28 on your 2600 "inside" interface. You could break up your public block even for the /30 between your router and theirs. They would need to add a route to the public block via your 2600 outside interface and your 2600 would have a default route pointing to their 2600 inside interface.
If they will not make changes to their router, you can use the public block on the outside and a private subnet to match on the inside connected to the Sonicwall. You could do a 1-1 static NAT for each public IP in the pool. The sonicwall would NAT the private IP to the real IP of the server.
Mapping like this:
192.168.254.19 - x.x.x.19
192.168.254.20 - x.x.x.20
192.168.254.21 - x.x.x.21
etc...
If they will not make changes to their router, you can use the public block on the outside and a private subnet to match on the inside connected to the Sonicwall. You could do a 1-1 static NAT for each public IP in the pool. The sonicwall would NAT the private IP to the real IP of the server.
Mapping like this:
192.168.254.19 - x.x.x.19
192.168.254.20 - x.x.x.20
192.168.254.21 - x.x.x.21
etc...
uh...
your both overlooking the obvious
you dont want to "route" traffic you want to "switch" traffic.
if what you want is:
ISP --- [isp's 2600] ---[your device with acl's] -- to DMZ or LAN
then you dont need to 'route'. You can use ip-less inspection (your device wont have 'routing'). It'll just have an in and an out and ACL's and zones.
Look into PIX devices.
your both overlooking the obvious
you dont want to "route" traffic you want to "switch" traffic.
if what you want is:
ISP --- [isp's 2600] ---[your device with acl's] -- to DMZ or LAN
then you dont need to 'route'. You can use ip-less inspection (your device wont have 'routing'). It'll just have an in and an out and ACL's and zones.
Look into PIX devices.
Assuming you cannot have the ISP change config of their router (to use a /30 and route a _different_ subnet to your router for use on your LAN)
If you want two interfaces on the same subnet, to forward traffic for that subnet between the two, you cannot use a router.
You must use a bridge.
Since you want to use access lists to control traffic, it must be a bridge with Layer 2 access list or transparent firewall capabilities
To use a Cisco router for this, an IOS firewall + Layer 2 inspection + CBAC, also known as "Transparent Firewall", would work.
http://www.cisco.com/web/go/iosfirewall/index.html
Certain switches (with the right featuresets) also have Layer 2 ACL capability, in that case, you don't use any routing on the switch, the ISP 2600 goes in one port, the Sonicwall and DMZ devices go in different ports, and you apply ACLs to L2 ports.
An alternative would be to use one-to-one NAT on your 2600 middleman, so the internal subnets aren't really the same, so your router middleman can actually route.
If you want two interfaces on the same subnet, to forward traffic for that subnet between the two, you cannot use a router.
You must use a bridge.
Since you want to use access lists to control traffic, it must be a bridge with Layer 2 access list or transparent firewall capabilities
To use a Cisco router for this, an IOS firewall + Layer 2 inspection + CBAC, also known as "Transparent Firewall", would work.
http://www.cisco.com/web/go/iosfirewall/index.html
Certain switches (with the right featuresets) also have Layer 2 ACL capability, in that case, you don't use any routing on the switch, the ISP 2600 goes in one port, the Sonicwall and DMZ devices go in different ports, and you apply ACLs to L2 ports.
An alternative would be to use one-to-one NAT on your 2600 middleman, so the internal subnets aren't really the same, so your router middleman can actually route.
*When I say 'cisco router' would work, I mean, with the right L2 features, it can work, if you turn off routing, and setup the router to perform bridging instead, subject to your L2 ACLs.
or... use a pix... which is what Mysidia is describing... out of the box.
a PIX is a device that runs IOS that performs stateful packet inspection (FORMERLY called cbac, now known as the IOS Firewall) out of the box. It can be made to do NAT, but is by default a transparent gateway.
a PIX is a device that runs IOS that performs stateful packet inspection (FORMERLY called cbac, now known as the IOS Firewall) out of the box. It can be made to do NAT, but is by default a transparent gateway.
Basically you can not route between two interfaces on the same router on the same subnet. You could attempt to brake up the subnets as JFrederick29 had mentioned or do static NAT to a different subnet on the inside of the man in the middle router on the outside of the SonicWall such as I mentioned earlier. Other than that, you would have to do something like a transparent firewall (mode) such as a Pix or ASA. Cisco switches only support inbound access lists on L2 ports. If you are looking to add hardware such as a Pix, you could also use an IPS to block hosts or ports without having to have a L3 interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.