| [HELP] Question about Cisco DMZ setup My boss has given me the task of researching how to set up a DMZ to put our Exchange and Lync edge servers on. I am relatively new to Cisco IOS so I am unsure of how this will all work but we just came up with an idea to make this easier on us all. Currently we have a cisco 1921 as our router. We are looking to add in a 891 as our DMZ router.
Our idea is to have one cable going from our cable modem to our 1921 like it is now. This will be for basic internet traffic and for easy VPN access for our remote users. We will have a second cable going from the modem to our 891 and have the 891 set up to use a different public IP from the 1921. We will then have the edge servers off the 891's switch interface and the fastethernet interface on the 891 will have a cable connecting it to the 1921.
I am wondering if this is a legit setup for a DMZ? It seems a little funky to me since there are the 2 separate internet connections with 2 different public IPs coming in. I am also wondering how we will go about routing SMTP and Lync traffic from the DMZ to the inside. I have a good understanding of how to do these things with one router and no DMZ, but this setup is throwing me off.
Lets use SMTP as an example. Will something like this work?
DMZ 891 Router-
interface fastethernet0
ip address 10.10.10.2
ip nat inside
ip nat inside source static tcp 10.10.10.3 25 interface gigabitethernet0 25
Inside 1921 Router-
ip nat inside source static tcp 192.168.1.186 25 interface gigabitethernet0/0 25
ip access-list extended gigabitethernet0/0_in
permit tcp any host 10.10.10.2 eq smtp
where 10.10.10.3 is the exchange edge and 192.168.1.186 is the exchange server and gigabitethernet0/0 is the interface on the 1921 that the 891 connects to.
Our original plan for the topology was to have a single internet connection coming in and going to the 891 then on to the 1921. This seems to me like it will complicate things like our OWA or our VPN. I am interested to know if this 2 internet connection setup is stupid and if I have the right idea for how to actually route this traffic. |
|
| you should build another server, MS TMG and use that for your DMZ server to provide you email/owa/lync on the edge... |
|
| What are the advantages to adding TMG? |
|
|
|
| you do not get your xchg hacked directly... TMG acts as a reverse proxy/gateway. |
|
| reply to eddysamson
Easiest layout for a 3-legged setup with an ISR I can think of is if the ISR has 2 routed interfaces,
then use either the inbuilt switch or a xWIC switch module for the trusted LAN.
My personal opinion is having two routers complicates things, but it really comes down you YOUR
needs and requirements. There's also this FAQ item to help you config-wise.
My 00000010bits
Regards |
|
| reply to Da Geek Kid
said by Da Geek Kid:you do not get your xchg hacked directly... TMG acts as a reverse proxy/gateway.
Isn't that what the router's ACLs are for, though? |
|
| reply to HELLFIRE
said by HELLFIRE:Easiest layout for a 3-legged setup with an ISR I can think of is if the ISR has 2 routed interfaces,
then use either the inbuilt switch or a xWIC switch module for the trusted LAN.
My personal opinion is having two routers complicates things, but it really comes down you YOUR
needs and requirements. There's also this FAQ item to help you config-wise.
My 00000010bits
Regards
We already bought the 891 for a 2 router DMZ layout. I realize it does complicate things but it seems like it makes more sense to separate the DMZ so the internet facing device traffic is on a separate device entirely from the internal network.
To try to help simplify things like our VPN and OWA accessibility we are thinking about trying the layout I was talking about before with 2 separate internet connections coming in off our modem with 2 different public IPs. One to the 1921 for basic internet needs for our users and remote access for our remote users and one to the 891 for our internet facing traffic (Lync edge, exchange edge). From there the 891's fastethernet8 port would connect to the 1921's gigabitethernet0/0 port (we have an hwic for a fiber LAN) so the Lync/exchange traffic can be routed to the appropriate internal servers.
This is instead of the two router topology suggested in the link you provided me.
I am just wondering if something like this works because it is a bit strange, but should make the config a bit easier for me (a cisco newb) since I mainly have to worry about the 891->1921 connection and how the two routers handle the SMTP and lync traffic. |
|
| reply to eddysamson
said by eddysamson:said by Da Geek Kid:you do not get your xchg hacked directly... TMG acts as a reverse proxy/gateway.
Isn't that what the router's ACLs are for, though? If I have the badge you use to get into the building, how does that access badge supposed protect the building...
The Reverse proxy and TMG act as a man in the middle to make sure if the server is compromised you are not giving them access to your directory and mail folders... |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to eddysamson
said by eddysamson:To try to help simplify things like our VPN and OWA accessibility we are thinking about trying the layout I was talking about before with 2 separate internet connections coming in off our modem with 2 different public IPs. One to the 1921 for basic internet needs for our users and remote access for our remote users and one to the 891 for our internet facing traffic (Lync edge, exchange edge). From there the 891's fastethernet8 port would connect to the 1921's gigabitethernet0/0 port (we have an hwic for a fiber LAN) so the Lync/exchange traffic can be routed to the appropriate internal servers.
This is instead of the two router topology suggested in the link you provided me.
I am just wondering if something like this works because it is a bit strange, but should make the config a bit easier for me (a cisco newb) since I mainly have to worry about the 891->1921 connection and how the two routers handle the SMTP and lync traffic.
Your suggested setup is basically considered a standard practice in lots of places, although some people decided to use different CSU/DSU (i.e. two different modem or two different ISP) for redundancy.
The next step is to assign zones with different IP subnets. From your description, it looks like there are at least four different zones in place; Internet (untrust), internal (trust), DMZ (dmz 1), and remote users (dmz 2) where each zone should have different IP subnet to avoid confusion.
Once you have zones and IP subnet assignment figured out, routing, NAT, and firewall setup is next step. In your case static routes should be sufficient with following implementation.
891 router
* Traffic to internal network should point to the 1921 router.
* Default gateway of all DMZ machines (Lync edge, exchange edge) points to the ISP default gateway
* No NAT between DMZ and internal network
* There is NAT between DMZ and the Internet
* Setup ACL and Zone-Based Firewall to restrict traffic between zones
1921 router
* Traffic to DMZ points to the 891 router
* Traffic to remote users points to ISP gateway
* No NAT between DMZ and internal network
* No NAT between remote users and internal network
* There is NAT between internal network and the Internet
* Setup ACL and Zone-Based Firewall to restrict traffic between zones |
|
| reply to Da Geek Kid
This is also why I run Filezilla FTP server on Windows boxes instead of the FTP server that's part of IIS. If someone hacks an FTP account they don't have a system account. |
|
| reply to aryoba
Hi sorry for the late response, was working on other projects. Here is how I have it set up so far:
891-
int fastethernet8
ip address 10.10.1.10 255.255.255.0
ip route 192.168.1.0 255.255.255.0 fastethernet8
1921-
int gigabitethernet0/0
ip address 10.10.1.2 255.255.255.0
ip access-group sdm_gigabitethernet0/0_in in
ip route 10.10.10.0 255.255.255.0 gigabitethernet0/0
ip access-list extended sdm_gigabitethernet0/0_in
permit tcp any host 10.10.1.10 eq smtp
permit tcp any host 10.10.1.10 eq 50636
permit tcp any host 192.168.1.186 eq smtp
permit tcp any host 192.168.1.186 eq 50636
permit tcp any any eq 1723
permit gre any any
permit ip 192.168.1.0 0.0.0.255 any
permit ip host 10.10.1.10 any
permit icmp any host 10.10.1.10 administratively-prohibited
permit icmp any host 10.10.1.10 time-exceeded
permit icmp any host 10.10.1.10 unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
With this set up I can ping from the 891 to anything internal. If I take off the ACL on gigabitethernet0/0 I can also ping anything in the DMZ.
I have not had a chance to test the exchange edge server with this set up. (Lync edge has 2 NICs and is working fine already) Does it look like it will work as is? |
|
