I have already setup a page in the wiki "FirewallBehindRouter". I plan
on showing sanitized Border Router config as well as m0n0wall.
As I get this worked out I will post my steps. For me, it will server
as self documentation as well as contributing to the project.
On Sat, 5 Mar 2005 00:23:24 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Fri, 4 Mar 2005 14:20:21 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> > I am still trying to work through this so if something doesn't make
> > sense, it's either because I'm not sure or I didn't do a good job of
> > explaining it.
> > SCENARIO:
> > I would like to use introduce m0n0wall into our network as a second
> > layer of physical defense. We have a group of public servers, web and
> > email. We have a public subnet range of 14 useable IP's. We are not
> > using all of them currently.
> > Existing public access is gained by NAT'ing Public IP's to
> > non-routeable Private IP's for a given server and limiting the
> > Protocol used for public access. Once I figure out some of the pieces
> > I need to forward inbound requests, I will probably re-work the
> > existing ACL's.
> > The Cisco Border Router is configured as such:
> > >>> EXISTING Config:
> > --Internet-----(s0.744)Router/FW(e0)-----LAN
> > s0.744
> > xx.43.154.230 / 255.255.255.252
> > e0
> > xx.43.155.33 / 255.255.255.240
> > 192.168.222.1 / 255.255.255.0 secondary
> > ip nat inside source static 192.168.222.18 xx.43.155.45
> > ip nat inside source static 192.168.222.2 xx.43.155.43
> > ip nat inside source static 192.168.222.40 xx.43.155.41
> > ip nat inside source static 192.168.222.9 xx.43.155.39
> > -- REMARK Reflexive ACL applied to s0 interface
> > ip access-list extended InboundFilters
> > permit tcp any host xx.43.155.45 eq smtp
> > permit tcp any host xx.43.155.45 eq pop3
> > permit tcp any host xx.43.155.45 eq 32000
> > etc...
> > Where I'd like to go.
> > >>> NEW Config:
> > --Internet-----(s0.744)Router(e0)-----(e1)Firewall(e0)-----LAN
> > Router (s0.744) x.43.154.230
> > Router (e0) x.43.155.33
> > Firewall (e1) x.43.155.46 (???)
> > Firewall (e0) 192.168.222.1
> > GOALS:
> > - Need to route incoming requests to public servers behind firewall.
> > - NAT overload question. currently, the LAN uses a NAT overload
> > (sharing one Public IP) for outbound traffic.
> > - Allow outbound only passive ftp from LAN hosts to remote FTP servers
> > QUESTIONS:
> > 1. I am not sure how to route specific IPs to the LAN side of m0n0wall.
> > 2. How would you configure the router to forward requests for hosts on
> > the subnet.
> Take out the IP NAT statements. Take off the private IP on the
> router. You can take out the ACL or leave it, just make sure it
> matches up appropriately with firewall rules. For ease of
> troubleshooting (no questioning if it's the router or the firewall),
> at least during the setup, take it out. You can add it back later
> after things are working with the new setup as another line of defense
> if you want. It's not necessary though.
> > 3. I am very confused by 1:1 vs NAT Server
> 1:1 means translating one public IP to one private IP, on both inbound
> and outbound traffic. Server NAT differs in that it allows you to
> open multiple ports on one public IP to different LAN side hosts.
> Inbound NAT does the same thing, but uses the m0n0wall WAN IP. Server
> NAT lets you use public IP's other than the WAN, which is what your
> LAN hosts other than any with 1:1 setups will be NAT'ed to outgoing.
> Since you have 14 public IP's, I'd use 1:1 NAT because it's more
> flexible, and easier to understand IMO. It's easier to mentally
> picture IP x.x.x.3 goes to mail server, x.x.x.4 is web server, x.x.x.5
> is ..., etc. rather than what port goes where on a single IP (which is
> how you have it set up now)
> > This is a real business project for me. I would be glad to help create
> > a real-world "HOW-TO" for the documentation project. My particular
> > topology I would assume is pretty common for small businesses.
> This would be good for the example configurations chapter.
> If you write something up (the wiki would be a good place,
> http://wiki.m0n0.ch), I can add the network diagrams, screenshots, and
> format it in DocBook for the docs.