[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Home Test Lab: Question #529

Posted on 2014-01-14
5
Medium Priority
?
561 Views
Last Modified: 2016-11-23
I have searched EE for something close to what I am attempting to accomplish, but have not found any decent results matching my exact question.  I do apologize for duplicating this question AGAIN.

Current Hardware acquired (will get more if needed):
Dell PowerEdge 2950 Server, Cisco 1760 Router, Dell PowerConnect 2816 Switch, couple of 5-port desktop switches, Cisco Linksys E3000 Router

Obviously a hodge-podge of hardware.  Here is what I would like to accomplish...

Set up a HTTP/FTP/etc server to be accessed from external while providing internet access to internal clients utilizing DHCP to provide IP addresses.  My problem is that I don't know exactly how this should be set up.

My guess is that the Server should be the edge device?  Or the Cisco 1760 Router?  This is how it looks in my mind:

ISP Cable Modem-->Cisco 1760 Router-->PE2950-->Cisco 2816 Switch-->Internal Clients

I'm looking for a basic, but expandable setup.  Again, I can purchase additional hardware if required to accomplish my goal.  Thank you for your time in answering this and sorry if this is a duplicate question.
0
Comment
Question by:Christopher Reed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39780876
Most cable ISPs will block those services unless you have a business account.  Have you checked to see if they will allowed on your service?
0
 
LVL 2

Author Comment

by:Christopher Reed
ID: 39780997
I have, yes. As long as the traffic is minimum ( which they monitor) then it is allowed. In addition, my wife is a cable company employee so it is a perk to get higher services as a discounted rate. ;-)

Putting internet provider aside, what do you think is the best way to approach this setup?
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 1000 total points
ID: 39782266
move the server to the switch as well.  All hosts should hang off the switch and the router should go directly into the switch.  So as to not complicate the config, we won't try to do a separate vlan for the server.  that can be another project after this is working, if you want that even.

This is all done via NAT.  It doesn't matter if you have a static IP or DHCP address on the outside interface of the router (its best to put the modem in bridging mode if its not already that way; we want the public IP to be on the outside interface of the router)

on the outside interface, you put "ip nat outside" and on the inside/lan interface you put "ip nat inside".  This just tells the router when nat happens how to treat incoming packets from each interface.

then you need to take care of the clients.  this is done like the following:
access-list 1 permit 192.168.0.0 0.0.0.255
ip nat inside source list 1 interface fa0/0 overload

what this does is create an ACL to identify traffic.  in this case you want to create it to match your internal lan subnet.  The next statement does the translation of your subnet hosts to what IP is assigned to the outside interface (change fa0/0 to whatever that is).  overload just says to do PAT instead of NAT (just means instead of translate only IP, translate port as well so you can get 65K+ connections from one public IP)

The next is to support your server:
ip nat inside source static tcp 192.168.0.5 80 1.2.3.4 80 extendable
you just change the first IP to your server's IP and the second one to the public IP that outside people will use to reach your server.  I thought there was a way to specify the interface but have to check into that further.  I'm not finding a way at the moment. I've normally done it on ASA's which that is no problem
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 1000 total points
ID: 39782303
"Most cable ISPs will block those services unless you have a business account. "
Thankfully, here in Poland, we don't have such problems. At least not from the monopolists ;)

Anyway, back to the topic.
ISP Cable Modem-->Cisco 1760 Router-->[b]DELL[/b] 2816 Switch-->Internal Clients
                                                                             -->PE2950

Open in new window

Little guidelines:
- servers serving HTTP/FTP for external users are meant to be placed into DMZ. BECAUSE - once they're hacked they may become gateway to your LAN (and it's very common for these services/daemons to have security flaws);
- protect it with ACLs, limiting access only to necessary services;
- in this case router will have to serve as a DHCP, DNS (otherwise you'll have to get another server) and overall, as a gateway. Routers have ASICs that make the routing faster (i.e. lower latency) and allow for greater control (assuming the PE will be controlled by Windows) of the network traffic.
0
 
LVL 2

Author Closing Comment

by:Christopher Reed
ID: 39783262
Thank you experts for all your assistance.  This is more than enough to get me started on my Test Lab.  I appreciate the time and effort.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question