Cisco Router DMZ and webserver
Hopefully this is an easy one.
Have a cisco router with two ports (WAN and LAN)
Need to have a webserver in a DMZ allowing external traffic on port 443, and internal traffic (LAN) with a specific port range.
I have an external IP address available to dedicate to the webserver.
I've done one to one in the past to forward an external IP to an internal server on the same LAN network (same subnet).
Question is,
if the internal LAN has a subnet of 10.10.10.0/24
i believe the webserver should be on a different subnet of for example 10.10.20.0/24 in a DMZ
ports 18000-18500 should be open from the internal LAN to the DMZ webserver.
what is the best plan of attack? especially if there are only two ports available on the router (WAN and LAN)?
thank you for your time
Have a cisco router with two ports (WAN and LAN)
Need to have a webserver in a DMZ allowing external traffic on port 443, and internal traffic (LAN) with a specific port range.
I have an external IP address available to dedicate to the webserver.
I've done one to one in the past to forward an external IP to an internal server on the same LAN network (same subnet).
Question is,
if the internal LAN has a subnet of 10.10.10.0/24
i believe the webserver should be on a different subnet of for example 10.10.20.0/24 in a DMZ
ports 18000-18500 should be open from the internal LAN to the DMZ webserver.
what is the best plan of attack? especially if there are only two ports available on the router (WAN and LAN)?
thank you for your time
ASKER
apologize, been a while since i've setup cisco routers/switches, couple of yrs since messed with layer 3
I do have a layer 3 switch behind the router, a vlan assigned to voip, and a vlan to data.
no layer 3 routing however is setup on the switch currently
little fuzzy but would this involve setting it up so the switch handles some of the routing?
setting a port on the switch with an ip address in the DMZ subnet, etc? pretty fuzzy on this but have some notes i can hunt up.
not sure how to set up the router, what commands to use...
current config is pretty basic.
two physical ports, one is internal LAN, the other is a static external WAN IP.
any guidance or help is much appreciated, thanks
I do have a layer 3 switch behind the router, a vlan assigned to voip, and a vlan to data.
no layer 3 routing however is setup on the switch currently
little fuzzy but would this involve setting it up so the switch handles some of the routing?
setting a port on the switch with an ip address in the DMZ subnet, etc? pretty fuzzy on this but have some notes i can hunt up.
not sure how to set up the router, what commands to use...
current config is pretty basic.
two physical ports, one is internal LAN, the other is a static external WAN IP.
any guidance or help is much appreciated, thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much for the info!
have multiple public IPs, several using one to one.
Have one dedicated for the webserver going online.
example:
ip nat inside source static tcp 10.10.10.20 443 1.1.1.1 443 extendable
so far:
for the layer 3 switch, i've setup a vlan, set an IP for the virtual interface (different subnet than LAN - in this example, would be 10.10.20.1/24 - VLAN20)
overload is set for the internal LAN subnet (in this example 10.10.10.0/24) on the WAN interface
is the command 'ip routing' required for the l3 switch?
if i'm on the correct path - what i have left is:
add switchports to the vlan20 (in trunk mode?)
- would this include allowing the LAN VLAN (lets say it's VLAN10) with an ACL for specific ports between the LAN and DMZ subnets?
if so, how would it be applied and where?
with NAT and overload for the DMZ subnet on the router, assuming fa0/1 is the internal/LAN interface on the router, would it be (in this example)??:
ip nat inside source list 100 interface fa0/1 overload
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
have multiple public IPs, several using one to one.
Have one dedicated for the webserver going online.
example:
ip nat inside source static tcp 10.10.10.20 443 1.1.1.1 443 extendable
so far:
for the layer 3 switch, i've setup a vlan, set an IP for the virtual interface (different subnet than LAN - in this example, would be 10.10.20.1/24 - VLAN20)
overload is set for the internal LAN subnet (in this example 10.10.10.0/24) on the WAN interface
is the command 'ip routing' required for the l3 switch?
if i'm on the correct path - what i have left is:
add switchports to the vlan20 (in trunk mode?)
- would this include allowing the LAN VLAN (lets say it's VLAN10) with an ACL for specific ports between the LAN and DMZ subnets?
if so, how would it be applied and where?
with NAT and overload for the DMZ subnet on the router, assuming fa0/1 is the internal/LAN interface on the router, would it be (in this example)??:
ip nat inside source list 100 interface fa0/1 overload
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would have a layer 3 switch behind the router, then you can trunk the link from the router to the switch as a /30 network, then have your LAN and DMZ on different VLANS on the switch. Create NAT overload on the router for the LAN range of IPs and a static NAT for the DMZ host(s), then restrict incoming traffic to the DMZ with an ACL.
Or simply deploy a firewall behind the router, Ive got run-throughs on my website on how to set that up :)