[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] help with FW behind router
 Date:  Sat, 5 Mar 2005 09:35:31 -0500 
Thanks...

I have already setup a page in the wiki "FirewallBehindRouter". I plan
on showing sanitized Border Router config as well as m0n0wall.

As I get this worked out I will post my steps. For me, it will server
as self documentation as well as contributing to the project.



On Sat, 5 Mar 2005 00:23:24 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Fri, 4 Mar 2005 14:20:21 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> > I am still trying to work through this so if something doesn't make
> > sense, it's either because I'm not sure or I didn't do a good job of
> > explaining it.
> >
> > SCENARIO:
> > I would like to use introduce m0n0wall into our network as a second
> > layer of physical defense. We have a group of public servers, web and
> > email. We have a public subnet range of 14 useable IP's. We are not
> > using all of them currently.
> >
> > Existing public access is gained by NAT'ing Public IP's to
> > non-routeable Private IP's for a given server and limiting the
> > Protocol used for public access. Once I figure out some of the pieces
> > I need to forward inbound requests, I will probably re-work the
> > existing ACL's.
> >
> > The Cisco Border Router is configured as such:
> >
> > >>> EXISTING Config:
> >
> > --Internet-----(s0.744)Router/FW(e0)-----LAN
> >
> > s0.744
> > xx.43.154.230 / 255.255.255.252
> >
> > e0
> > xx.43.155.33 / 255.255.255.240
> > 192.168.222.1 / 255.255.255.0 secondary
> >
> > ip nat inside source static 192.168.222.18 xx.43.155.45
> > ip nat inside source static 192.168.222.2  xx.43.155.43
> > ip nat inside source static 192.168.222.40 xx.43.155.41
> > ip nat inside source static 192.168.222.9  xx.43.155.39
> >
> > -- REMARK Reflexive ACL applied to s0 interface
> > ip access-list extended InboundFilters
> >  permit tcp any host xx.43.155.45 eq smtp
> >  permit tcp any host xx.43.155.45 eq pop3
> >  permit tcp any host xx.43.155.45 eq 32000
> >  etc...
> >
> > Where I'd like to go.
> > >>> NEW Config:
> > --Internet-----(s0.744)Router(e0)-----(e1)Firewall(e0)-----LAN
> >
> > Router (s0.744) x.43.154.230
> > Router (e0) x.43.155.33
> >
> > Firewall (e1) x.43.155.46 (???)
> > Firewall (e0) 192.168.222.1
> >
> > GOALS:
> > - Need to route incoming requests to public servers behind firewall.
> > - NAT overload question. currently, the LAN uses a NAT overload
> > (sharing one Public IP) for outbound traffic.
> > - Allow outbound only passive ftp from LAN hosts to remote FTP servers
> >
> > QUESTIONS:
> > 1. I am not sure how to route specific IPs to the LAN side of m0n0wall.
> > 2. How would you configure the router to forward requests for hosts on
> > the subnet.
> 
> Take out the IP NAT statements.  Take off the private IP on the
> router.  You can take out the ACL or leave it, just make sure it
> matches up appropriately with firewall rules.  For ease of
> troubleshooting (no questioning if it's the router or the firewall),
> at least during the setup, take it out.  You can add it back later
> after things are working with the new setup as another line of defense
> if you want.  It's not necessary though.
> 
> 
> > 3. I am very confused by 1:1 vs NAT Server
> 
> 1:1 means translating one public IP to one private IP, on both inbound
> and outbound traffic.      Server NAT differs in that it allows you to
> open multiple ports on one public IP to different LAN side hosts.
> Inbound NAT does the same thing, but uses the m0n0wall WAN IP.  Server
> NAT lets you use public IP's other than the WAN, which is what your
> LAN hosts other than any with 1:1 setups will be NAT'ed to outgoing.
> 
> Since you have 14 public IP's, I'd use 1:1 NAT because it's more
> flexible, and easier to understand IMO.   It's easier to mentally
> picture IP x.x.x.3 goes to mail server, x.x.x.4 is web server, x.x.x.5
> is ..., etc. rather than what port goes where on a single IP (which is
> how you have it set up now)
> 
> 
> > This is a real business project for me. I would be glad to help create
> > a real-world "HOW-TO" for the documentation project. My particular
> > topology I would assume is pretty common for small businesses.
> >
> 
> This would be good for the example configurations chapter.
> http://m0n0.ch/wall/docbook/examples.html
> 
> If you write something up (the wiki would be a good place,
> http://wiki.m0n0.ch), I can add the network diagrams, screenshots, and
> format it in DocBook for the docs.
> 
> -Chris
>