[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  help with FW behind router
 Date:  Fri, 4 Mar 2005 14:20:21 -0500
I am still trying to work through this so if something doesn't make
sense, it's either because I'm not sure or I didn't do a good job of
explaining it.

SCENARIO:
I would like to use introduce m0n0wall into our network as a second
layer of physical defense. We have a group of public servers, web and
email. We have a public subnet range of 14 useable IP's. We are not
using all of them currently.

Existing public access is gained by NAT'ing Public IP's to
non-routeable Private IP's for a given server and limiting the
Protocol used for public access. Once I figure out some of the pieces
I need to forward inbound requests, I will probably re-work the
existing ACL's.

The Cisco Border Router is configured as such:

>>> EXISTING Config:

--Internet-----(s0.744)Router/FW(e0)-----LAN

s0.744
xx.43.154.230 / 255.255.255.252

e0
xx.43.155.33 / 255.255.255.240
192.168.222.1 / 255.255.255.0 secondary

ip nat inside source static 192.168.222.18 xx.43.155.45
ip nat inside source static 192.168.222.2  xx.43.155.43
ip nat inside source static 192.168.222.40 xx.43.155.41
ip nat inside source static 192.168.222.9  xx.43.155.39

-- REMARK Reflexive ACL applied to s0 interface
ip access-list extended InboundFilters
 permit tcp any host xx.43.155.45 eq smtp
 permit tcp any host xx.43.155.45 eq pop3
 permit tcp any host xx.43.155.45 eq 32000
 etc...

Where I'd like to go.
>>> NEW Config:
--Internet-----(s0.744)Router(e0)-----(e1)Firewall(e0)-----LAN

Router (s0.744) x.43.154.230
Router (e0) x.43.155.33

Firewall (e1) x.43.155.46 (???)
Firewall (e0) 192.168.222.1


GOALS:
- Need to route incoming requests to public servers behind firewall.
- NAT overload question. currently, the LAN uses a NAT overload
(sharing one Public IP) for outbound traffic.
- Allow outbound only passive ftp from LAN hosts to remote FTP servers

QUESTIONS:
1. I am not sure how to route specific IPs to the LAN side of m0n0wall.
2. How would you configure the router to forward requests for hosts on
the subnet.
3. I am very confused by 1:1 vs NAT Server
4. I have tried to use the doc's to help understand this but must be
having a brain-fart.

This is a real business project for me. I would be glad to help create
a real-world "HOW-TO" for the documentation project. My particular
topology I would assume is pretty common for small businesses.

Thanks