Suggested Prerequisite Reading
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Traditional Approach

Currently you have T1/E1 circuit for Internet access of both LAN users and servers. Due to bandwidth consumption, you decide to dedicate the T1/E1 circuit only for servers. For LAN users Internet access, you will bring in either DSL or Cable Internet. In addition, you like to have incoming IPSec VPN traffic into the LAN to go over the DSL or Cable Internet and not the T1/E1 circuit.

Following is the list of possible scenarios of network design.

1. Deploying one PIX 515 or ASA 5510 with DMZ

                        T1/E1                    DSL/Cable Internet
                          |                              |   
                 Existing T1/E1 router                   |   Outside
                          |              DMZ             |
                        Switch  -------------------- PIX 515 or ASA 5510
                          |                              |            
                       Servers                           |    Inside
                                                         |
                                                        LAN

2. Deploying two 1841 routers

                        T1/E1                    DSL/Cable Internet
                          |                              |   
                 Existing T1/E1 router                   |   
                          |                              |   Outside
                   First 1841 router                     |
                          |           DMZ                |
                       Switch  -----------------  Second 1841 router
                          |                              |            
                       Servers                           |    Inside
                                                         |
                                                        LAN

3. Deploying one 871 router, one ASA 5505, and one Catalyst 3560 Layer-3 switch

                        T1/E1                    DSL/Cable Internet
                          |                              |   
                 Existing T1/E1 router                   |   Outside
                          |                              |
                      871 router                      ASA 5505
                          |        DMZ                   |
                       Switch  -----------  Catalyst 3560 Layer-3 switch
                          |                              |            
                       Servers                           |    Inside
                                                         |
                                                        LAN

General Ideas and Considerations

For the illustration sake, let's consider the 1st scenario which employs the ASA 5510 with DMZ feature.

* The servers have default gateway pointing to the T1/E1 router
* The T1/E1 router has default gateway pointing to the T1/E1 ISP just like current setup
* There is a route at T1/E1 router pointing to the ASA DMZ interface to reach the LAN
* The ASA default gateway points to the the DSL/Cable Internet ISP
* There is a route at the ASA pointing to the T1/E1 router to reach the servers
* Incoming IPSec VPN traffic to the LAN go through the DSL/Cable Internet and terminates at ASA. In other words, the ASA acts as both Internet firewall and VPN Concentrator
* The servers' IP address can be either Public or Private IP addresses
* The LAN IP addresses are Private IP addresses
* No NAT in place for communication between the servers and the LAN
* There may be NAT in place for communication between the servers and the Internet, depending on network requirements
* There is no NAT in place for communication between the LAN and the incoming VPN traffic
* There is NAT in place for communication between the LAN and the Internet

The network design general ideas of all three above scenarios are pretty much similar. The first scenario is considered the simplest solution. You just have to make sure whoever manage the existing T1/E1 router is able to do any adjustment (i.e. adding route pointing to the ASA DMZ interface to reach LAN) due to the network design change. If for any reason the T1/E1 router management is unable or is unwilling to do any adjustment, then either second or third scenario should be feasible as well.

Note that in the first scenario, the ASA 5510 acts as both Internet firewall and VPN Concentrator. In the second scenario, the Second 1841 router acts as Internet firewall, Internet router, and VPN Concentrator. In the third scenario, the ASA 5505 acts as both Internet firewall and VPN Concentrator where the 3560 Layer-3 switch deals with routing between LAN, servers (DMZ), and the Internet.

Between Private and Public IP address Assignment for the servers

You have a choice of either assigning Public IP address directly to the servers, or assigning Private IP address to the servers. When the servers are assigned Private IP address, then the T1/E1 router does NAT for the servers when the servers need to communicate with the Internet. When the servers are assigned Public IP address directly, then no NAT should occur at the T1/E1 router for the servers when the servers need to communicate with the Internet.

There are times when assigning Public IP address directly to the servers are preferable. When there is a plan to have DNS A record for those servers for example, you may want the servers to have Public IP address assigned to them directly. This way you don't have to create DNS BIND for both the NAT-ed Public IP address and the Private IP address. You only need to create the BIND for just the Public IP address to serve both the Internet users and LAN users. When there is no need to have such DNS A record, then assigning Private IP address to the servers might be acceptable.

For more info, you can check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Sample Configuration

Following sample configuration reflects the network design first scenario.

Assumptions
* The servers are assigned Public IP address of 1.1.1.0/29 directly.
* There are two servers in place, one is web (supporting both HTTP and HTTPS/SSL) and another is mail
* Web server IP address is 1.1.1.3 and Mail server IP address is 1.1.1.4
* Default gateway of all servers is the 1.1.1.1 (T1/E1 router)
* No NAT in place at T1/E1 router for communication between the servers and the Internet
* LAN (Inside) is still be able to access the servers via the DMZ connection without problem
* Only the LAN can initiate connection to servers or anything within 1.1.1.0/29
* Servers or anything within 1.1.1.0/29 cannot initiate connection to LAN due to security concern
* In terms of LAN-DMZ communication, anything within 1.1.1.0/29 (including the servers) can only response to communication initiated from LAN
* In terms of DMZ-Internet communication, either the servers or the Internet can initiate communication to the other
* The existing T1/E1 router deploys CBAC to create Internet firewall. For more info, check out the following FAQ
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
* The ASA uses Microsoft Active Directory Domain Controller to authenticate incoming VPN connection to LAN machines. For more info, check out the following FAQ
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Notes
* The above assumptions are considered typical network policy, practice, and deployment in a lot of organizations. You can always make adjustments to suit your specific requirements when needed.
* The router CBAC configuration can be simply replaced by more advanced Zone-Based Firewall configuration. Check out the following FAQ for more info
»Cisco Forum FAQ »Zone-Based Firewall Sample Configuration

Scenario 1

Existing T1/E1 router (i.e. 1721, 2620, similar or higher)

ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
!
interface FastEthernet0/0
description DMZ
ip address 1.1.1.1 255.255.255.248
!
interface Serial0/0
description T1/E1 ISP
ip address 1.0.0.2 255.255.255.252
ip access-group 121 in
ip inspect OUTBOUND out
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1 name T1/E1_ISP_Default_Gateway
ip route 10.0.0.0 255.0.0.0 1.1.1.2 name LAN1
ip route 172.16.0.0 255.240.0.0 1.1.1.2 name LAN2
ip route 192.168.0.0 255.255.0.0 1.1.1.2 name VPN_Users
!
access-list 121 remark **** Permitted inbound packets ****
access-list 121 permit tcp any host 1.1.1.3 eq 80
access-list 121 permit tcp any host 1.1.1.3 eq 443
access-list 121 permit tcp any host 1.1.1.4 eq 25
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
!
 

ASA 5510

ASA Version 7.2(3) 
!
hostname asa
domain-name yournetwork.com
enable password ***** encrypted
names
dns-guard
!
interface FastEthernet0/0
 description Internet
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface FastEthernet0/2
 description DMZ
 nameif dmz
 security-level 50
 ip address 1.1.1.2 255.255.255.248
!
passwd ***** encrypted
ftp mode passive
object-group network DMZ
network-object 1.1.1.0 255.255.255.248
object-group network VPN-Admin  
network-object 192.168.1.0 255.255.255.0
object-group network VPN-Sales  
network-object 192.168.2.0 255.255.255.0
object-group network Sales-Network  
network-object 10.0.0.0 255.255.254.0  
access-list 10 remark Split Tunnel for VPN Admin  
access-list 10 permit ip any object-group VPN-Admin  
access-list 20 remark Split Tunnel for VPN Sales  
access-list 20 permit ip object-group Sales-Network object-group VPN-Sales
access-list nonat remark No NAT within VPN tunnel  
access-list nonat permit ip any object-group VPN-Admin
access-list nonat permit ip any object-group VPN-Sales
access-list nonat remark No NAT between DMZ and Inside
access-list nonat permit ip any object-group DMZ
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool admin 192.168.1.1-192.168.1.254
ip local pool sales 192.168.2.1-192.168.2.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1  
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 192.168.0.2
 nt-auth-domain-controller DomainController1
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
service resetoutside
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy Admin internal
group-policy Admin attributes
 dns-server value 192.168.0.2
 wins-server value 192.168.0.3
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 10
 default-domain value yournetwork.com
group-policy Sales internal  
group-policy Sales attributes  
 dns-server value 192.168.0.2  
 wins-server value 192.168.0.3  
 vpn-idle-timeout 1440  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value 20
 default-domain value yournetwork.com  
username Admin1 password ***** encrypted privilege 15
username Admin1 attributes
 vpn-group-policy Admin
 group-lock value Admin
username Admin2 password ***** encrypted privilege 15
username Admin2 attributes
 vpn-group-policy Admin
 group-lock value Admin
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool admin
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Admin
tunnel-group Admin ipsec-attributes
 pre-shared-key *
tunnel-group Sales type ipsec-ra
tunnel-group Sales general-attributes
 address-pool sales
 authentication-server-group NT_DOMAIN
 default-group-policy Sales
tunnel-group Sales ipsec-attributes
 pre-shared-key *
prompt hostname context 
 

VRF-lite Approach

The situation is similar with this approach. There is still a T1/E1 circuit you need to dedicate only for public server access and there is a separate DSL/Cable/Wireless connection for LAN. Following is the network design.

                     T1/E1 circuit        DSL/Cable/Wireless
                           |                       |
                           |                       |
                     Existing T1/E1 and DSL/Cable/Wireless
                                      router
                                         *
                                         *  Trunk to Switch
                                         *
                                      Switch

General Ideas and Considerations

* Each of the T1/E1 circuit and DSL/Cable/Wireless connection connects to different network or even different ISP
* There are two networks that the router manages, which are the Public server network and LAN
* The Public server network only uses the T1/E1 circuit to connect to the Internet. The Public server network can never use the DSL/Cable/Wireless connection to access the Internet.
* The LAN only uses the DSL/Cable/Wireless connection to browse the Internet. The LAN can never use the T1/E1 circuit to access the Internet.
* The LAN users must go through the Internet to access the Public server network. There is no direct connection internally within the router to connect the LAN and the Public server network.
* Both of Public server network and LAN uses Private subnet internally
* The router acts as NAT/PAT device for Private-Public IP Subnet translation
* The router run Zone-Based Firewall for security
* There are three public-accessible servers within the Public server network which are FTP, Mail, and Web
* Zone-Based Firewall inspects all outbound traffic (from Public server network or from LAN to the Internet) and their returning traffic
* Zone-Based Firewall also inspect all inbound traffic (from the Internet to the Public server network)

VRF-aware Zone-Based Firewall Sample Configuration

1. Router (i.e. 1841, 2621XM, etc.)

version 12.4
!
ip cef
!
ip vrf LAN
!
ip vrf pub
!
class-map type inspect match-any out-cmap
 match protocol http
 match protocol https
 match protocol ftp
 match protocol smtp
 match protocol ftp
!
class-map type inspect match-all Internet-pub-cmap-ftp
 match access-group 121
 match protocol ftp
!
class-map type inspect match-all Internet-pub-cmap-http
 match access-group 122
 match protocol http
!
class-map type inspect match-all Internet-pub-cmap-smtp
 match access-group 123
 match protocol smtp
!
policy-map type inspect pub-Internet-pmap
 class type inspect out-cmap
  inspect
!
policy-map type inspect LAN-Internet-pmap
 class type inspect out-cmap
  inspect
!
policy-map type inspect Internet-pub-pmap
 class type inspect Internet-pub-cmap-ftp
  inspect
 class type inspect Internet-pub-cmap-http
  inspect
 class type inspect Internet-pub-cmap-smtp
  inspect
!
policy-map type inspect Internet-self-pmap
 class class-default
  drop log
!
zone security pub
zone security LAN
zone security Internet
zone-pair security pub-Internet source pub destination Internet
 service-policy type inspect pub-Internet-pmap
zone-pair security LAN-Internet source LAN destination Internet
 service-policy type inspect LAN-Internet-pmap
zone-pair security Internet-pub source Internet destination pub
 service-policy type inspect Internet-pub-pmap
zone-pair security Internet-self source Internet destination self
 service-policy type inspect Internet-self-pmap
!
!
interface FastEthernet0/0
description ISP 1 - Only for LAN Network
 ip vrf forwarding LAN
 ip address 1.0.0.2 255.255.255.252
 ip nat outside
 zone-member security Internet
 ip virtual-reassembly
 speed auto
 no cdp enable
!
interface FastEthernet0/1
description Trunk to Switch
 no ip address
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.171
description LAN
 encapsulation dot1Q 171
 ip vrf forwarding LAN
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 zone-member security LAN
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1.172
description Public Server Network
 encapsulation dot1Q 172
 ip vrf forwarding pub
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 zone-member security pub
 ip virtual-reassembly
 no cdp enable
!
interface Serial0/0
description ISP 2 - Only for Public Server Network
 ip vrf forwarding pub
 ip address 1.1.0.2 255.255.255.252
 ip nat outside
 zone-member security Internet
 ip virtual-reassembly
 speed auto
 no cdp enable
!
ip route vrf LAN 0.0.0.0 0.0.0.0 1.0.0.1
ip route vrf pub 0.0.0.0 0.0.0.0 1.1.0.1
!
ip nat pool Global-LAN 1.0.1.1 1.0.1.1 netmask 255.255.255.0
ip nat pool Global-Public 1.1.1.1 1.1.1.1 netmask 255.255.255.0
ip nat inside source list 10 pool Global-LAN vrf LAN overload
ip nat inside source list 20 pool Global-Public vrf pub overload
!
! The following static NAT translations allow access from the internet to 
! servers in each VRF.  Be sure the static translations correlate to “inspect” 
! statements in in the Zone Firewall configuration, the internet-facing list.
! Note that the ACLs used in the firewall correspond to the end-host address, not 
! the NAT Outside address
!
ip nat inside source static tcp 10.1.2.2 21 1.1.2.2 21 vrf pub extendable
ip nat inside source static tcp 10.1.2.3 25 1.1.2.3 25 vrf pub extendable
ip nat inside source static tcp 10.1.2.4 80 1.1.2.4 80 vrf pub extendable
!
access-list 10 remark NAT for LAN
access-list 10 remark 10.1.2.0 0.0.0.255
access-list 20 remark NAT for Public Server network
access-list 20 remark 10.1.2.0 0.0.0.255
!
access-list 121 remark From Internet to Public FTP server
access-list 121 permit ip any host 10.1.2.2
access-list 122 remark From Internet to Public Mail server
access-list 122 permit ip any host 10.1.2.3
access-list 123 remark From Internet to Public Web server
access-list 123 permit ip any host 10.1.2.4
!
! Disable CDP
!
no cdp run
!
end
 

2. Switch (i.e. Catalyst 2950, 2960, etc.)

vlan 1
name VLAN_Database
vlan 171
name LAN
vlan 172
name pub
!
interface FastEthernet0/1
description Trunk to Router
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
description LAN
switchport mode access
switchport access vlan 171
!
interface FastEthernet0/3
description LAN
switchport mode access
switchport access vlan 171
!
interface FastEthernet0/4
description LAN
switchport mode access
switchport access vlan 171
!
interface FastEthernet0/5
description LAN
switchport mode access
switchport access vlan 171
!
interface FastEthernet0/6
description LAN
switchport mode access
switchport access vlan 171
!
interface FastEthernet0/7
description Public server network
switchport mode access
switchport access vlan 172
!
interface FastEthernet0/8
description Public server network
switchport mode access
switchport access vlan 172
!
interface FastEthernet0/9
description Public server network
switchport mode access
switchport access vlan 172
!
interface FastEthernet0/10
description Public server network
switchport mode access
switchport access vlan 172
!
interface FastEthernet0/11
description Public server network
switchport mode access
switchport access vlan 172
!
interface FastEthernet0/12
description Public server network
switchport mode access
switchport access vlan 172
!
interface Vlan1
description VLAN Database
no ip address
shutdown
!
 

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2009-02-26 12:12:30