Solved

Home Test Lab: Question #529

Posted on 2014-01-14
5
528 Views
Last Modified: 2016-11-23
I have searched EE for something close to what I am attempting to accomplish, but have not found any decent results matching my exact question.  I do apologize for duplicating this question AGAIN.

Current Hardware acquired (will get more if needed):
Dell PowerEdge 2950 Server, Cisco 1760 Router, Dell PowerConnect 2816 Switch, couple of 5-port desktop switches, Cisco Linksys E3000 Router

Obviously a hodge-podge of hardware.  Here is what I would like to accomplish...

Set up a HTTP/FTP/etc server to be accessed from external while providing internet access to internal clients utilizing DHCP to provide IP addresses.  My problem is that I don't know exactly how this should be set up.

My guess is that the Server should be the edge device?  Or the Cisco 1760 Router?  This is how it looks in my mind:

ISP Cable Modem-->Cisco 1760 Router-->PE2950-->Cisco 2816 Switch-->Internal Clients

I'm looking for a basic, but expandable setup.  Again, I can purchase additional hardware if required to accomplish my goal.  Thank you for your time in answering this and sorry if this is a duplicate question.
0
Comment
Question by:Christopher Reed
5 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39780876
Most cable ISPs will block those services unless you have a business account.  Have you checked to see if they will allowed on your service?
0
 
LVL 2

Author Comment

by:Christopher Reed
ID: 39780997
I have, yes. As long as the traffic is minimum ( which they monitor) then it is allowed. In addition, my wife is a cable company employee so it is a perk to get higher services as a discounted rate. ;-)

Putting internet provider aside, what do you think is the best way to approach this setup?
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 250 total points
ID: 39782266
move the server to the switch as well.  All hosts should hang off the switch and the router should go directly into the switch.  So as to not complicate the config, we won't try to do a separate vlan for the server.  that can be another project after this is working, if you want that even.

This is all done via NAT.  It doesn't matter if you have a static IP or DHCP address on the outside interface of the router (its best to put the modem in bridging mode if its not already that way; we want the public IP to be on the outside interface of the router)

on the outside interface, you put "ip nat outside" and on the inside/lan interface you put "ip nat inside".  This just tells the router when nat happens how to treat incoming packets from each interface.

then you need to take care of the clients.  this is done like the following:
access-list 1 permit 192.168.0.0 0.0.0.255
ip nat inside source list 1 interface fa0/0 overload

what this does is create an ACL to identify traffic.  in this case you want to create it to match your internal lan subnet.  The next statement does the translation of your subnet hosts to what IP is assigned to the outside interface (change fa0/0 to whatever that is).  overload just says to do PAT instead of NAT (just means instead of translate only IP, translate port as well so you can get 65K+ connections from one public IP)

The next is to support your server:
ip nat inside source static tcp 192.168.0.5 80 1.2.3.4 80 extendable
you just change the first IP to your server's IP and the second one to the public IP that outside people will use to reach your server.  I thought there was a way to specify the interface but have to check into that further.  I'm not finding a way at the moment. I've normally done it on ASA's which that is no problem
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 250 total points
ID: 39782303
"Most cable ISPs will block those services unless you have a business account. "
Thankfully, here in Poland, we don't have such problems. At least not from the monopolists ;)

Anyway, back to the topic.
ISP Cable Modem-->Cisco 1760 Router-->[b]DELL[/b] 2816 Switch-->Internal Clients
                                                                             -->PE2950

Open in new window

Little guidelines:
- servers serving HTTP/FTP for external users are meant to be placed into DMZ. BECAUSE - once they're hacked they may become gateway to your LAN (and it's very common for these services/daemons to have security flaws);
- protect it with ACLs, limiting access only to necessary services;
- in this case router will have to serve as a DHCP, DNS (otherwise you'll have to get another server) and overall, as a gateway. Routers have ASICs that make the routing faster (i.e. lower latency) and allow for greater control (assuming the PE will be controlled by Windows) of the network traffic.
0
 
LVL 2

Author Closing Comment

by:Christopher Reed
ID: 39783262
Thank you experts for all your assistance.  This is more than enough to get me started on my Test Lab.  I appreciate the time and effort.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now