Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 579
  • Last Modified:

Home Test Lab: Question #529

I have searched EE for something close to what I am attempting to accomplish, but have not found any decent results matching my exact question.  I do apologize for duplicating this question AGAIN.

Current Hardware acquired (will get more if needed):
Dell PowerEdge 2950 Server, Cisco 1760 Router, Dell PowerConnect 2816 Switch, couple of 5-port desktop switches, Cisco Linksys E3000 Router

Obviously a hodge-podge of hardware.  Here is what I would like to accomplish...

Set up a HTTP/FTP/etc server to be accessed from external while providing internet access to internal clients utilizing DHCP to provide IP addresses.  My problem is that I don't know exactly how this should be set up.

My guess is that the Server should be the edge device?  Or the Cisco 1760 Router?  This is how it looks in my mind:

ISP Cable Modem-->Cisco 1760 Router-->PE2950-->Cisco 2816 Switch-->Internal Clients

I'm looking for a basic, but expandable setup.  Again, I can purchase additional hardware if required to accomplish my goal.  Thank you for your time in answering this and sorry if this is a duplicate question.
Christopher Reed
Christopher Reed
2 Solutions
Dave BaldwinFixer of ProblemsCommented:
Most cable ISPs will block those services unless you have a business account.  Have you checked to see if they will allowed on your service?
Christopher ReedLevel 2 Software Support EngineerAuthor Commented:
I have, yes. As long as the traffic is minimum ( which they monitor) then it is allowed. In addition, my wife is a cable company employee so it is a perk to get higher services as a discounted rate. ;-)

Putting internet provider aside, what do you think is the best way to approach this setup?
move the server to the switch as well.  All hosts should hang off the switch and the router should go directly into the switch.  So as to not complicate the config, we won't try to do a separate vlan for the server.  that can be another project after this is working, if you want that even.

This is all done via NAT.  It doesn't matter if you have a static IP or DHCP address on the outside interface of the router (its best to put the modem in bridging mode if its not already that way; we want the public IP to be on the outside interface of the router)

on the outside interface, you put "ip nat outside" and on the inside/lan interface you put "ip nat inside".  This just tells the router when nat happens how to treat incoming packets from each interface.

then you need to take care of the clients.  this is done like the following:
access-list 1 permit
ip nat inside source list 1 interface fa0/0 overload

what this does is create an ACL to identify traffic.  in this case you want to create it to match your internal lan subnet.  The next statement does the translation of your subnet hosts to what IP is assigned to the outside interface (change fa0/0 to whatever that is).  overload just says to do PAT instead of NAT (just means instead of translate only IP, translate port as well so you can get 65K+ connections from one public IP)

The next is to support your server:
ip nat inside source static tcp 80 80 extendable
you just change the first IP to your server's IP and the second one to the public IP that outside people will use to reach your server.  I thought there was a way to specify the interface but have to check into that further.  I'm not finding a way at the moment. I've normally done it on ASA's which that is no problem
"Most cable ISPs will block those services unless you have a business account. "
Thankfully, here in Poland, we don't have such problems. At least not from the monopolists ;)

Anyway, back to the topic.
ISP Cable Modem-->Cisco 1760 Router-->[b]DELL[/b] 2816 Switch-->Internal Clients

Open in new window

Little guidelines:
- servers serving HTTP/FTP for external users are meant to be placed into DMZ. BECAUSE - once they're hacked they may become gateway to your LAN (and it's very common for these services/daemons to have security flaws);
- protect it with ACLs, limiting access only to necessary services;
- in this case router will have to serve as a DHCP, DNS (otherwise you'll have to get another server) and overall, as a gateway. Routers have ASICs that make the routing faster (i.e. lower latency) and allow for greater control (assuming the PE will be controlled by Windows) of the network traffic.
Christopher ReedLevel 2 Software Support EngineerAuthor Commented:
Thank you experts for all your assistance.  This is more than enough to get me started on my Test Lab.  I appreciate the time and effort.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now