[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Don Munyak <don dot munyak at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] help with FW behind router
 Date:  Sat, 5 Mar 2005 00:23:24 -0500
On Fri, 4 Mar 2005 14:20:21 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> I am still trying to work through this so if something doesn't make
> sense, it's either because I'm not sure or I didn't do a good job of
> explaining it.
> 
> SCENARIO:
> I would like to use introduce m0n0wall into our network as a second
> layer of physical defense. We have a group of public servers, web and
> email. We have a public subnet range of 14 useable IP's. We are not
> using all of them currently.
> 
> Existing public access is gained by NAT'ing Public IP's to
> non-routeable Private IP's for a given server and limiting the
> Protocol used for public access. Once I figure out some of the pieces
> I need to forward inbound requests, I will probably re-work the
> existing ACL's.
> 
> The Cisco Border Router is configured as such:
> 
> >>> EXISTING Config:
> 
> --Internet-----(s0.744)Router/FW(e0)-----LAN
> 
> s0.744
> xx.43.154.230 / 255.255.255.252
> 
> e0
> xx.43.155.33 / 255.255.255.240
> 192.168.222.1 / 255.255.255.0 secondary
> 
> ip nat inside source static 192.168.222.18 xx.43.155.45
> ip nat inside source static 192.168.222.2  xx.43.155.43
> ip nat inside source static 192.168.222.40 xx.43.155.41
> ip nat inside source static 192.168.222.9  xx.43.155.39
> 
> -- REMARK Reflexive ACL applied to s0 interface
> ip access-list extended InboundFilters
>  permit tcp any host xx.43.155.45 eq smtp
>  permit tcp any host xx.43.155.45 eq pop3
>  permit tcp any host xx.43.155.45 eq 32000
>  etc...
> 
> Where I'd like to go.
> >>> NEW Config:
> --Internet-----(s0.744)Router(e0)-----(e1)Firewall(e0)-----LAN
> 
> Router (s0.744) x.43.154.230
> Router (e0) x.43.155.33
> 
> Firewall (e1) x.43.155.46 (???)
> Firewall (e0) 192.168.222.1
> 
> GOALS:
> - Need to route incoming requests to public servers behind firewall.
> - NAT overload question. currently, the LAN uses a NAT overload
> (sharing one Public IP) for outbound traffic.
> - Allow outbound only passive ftp from LAN hosts to remote FTP servers
> 
> QUESTIONS:
> 1. I am not sure how to route specific IPs to the LAN side of m0n0wall.
> 2. How would you configure the router to forward requests for hosts on
> the subnet.

Take out the IP NAT statements.  Take off the private IP on the
router.  You can take out the ACL or leave it, just make sure it
matches up appropriately with firewall rules.  For ease of
troubleshooting (no questioning if it's the router or the firewall),
at least during the setup, take it out.  You can add it back later
after things are working with the new setup as another line of defense
if you want.  It's not necessary though.


> 3. I am very confused by 1:1 vs NAT Server

1:1 means translating one public IP to one private IP, on both inbound
and outbound traffic.      Server NAT differs in that it allows you to
open multiple ports on one public IP to different LAN side hosts. 
Inbound NAT does the same thing, but uses the m0n0wall WAN IP.  Server
NAT lets you use public IP's other than the WAN, which is what your
LAN hosts other than any with 1:1 setups will be NAT'ed to outgoing.

Since you have 14 public IP's, I'd use 1:1 NAT because it's more
flexible, and easier to understand IMO.   It's easier to mentally
picture IP x.x.x.3 goes to mail server, x.x.x.4 is web server, x.x.x.5
is ..., etc. rather than what port goes where on a single IP (which is
how you have it set up now)


> This is a real business project for me. I would be glad to help create
> a real-world "HOW-TO" for the documentation project. My particular
> topology I would assume is pretty common for small businesses.
> 

This would be good for the example configurations chapter. 
http://m0n0.ch/wall/docbook/examples.html

If you write something up (the wiki would be a good place,
http://wiki.m0n0.ch), I can add the network diagrams, screenshots, and
format it in DocBook for the docs.

-Chris