50.4 Running Servers with Cisco Cisco Forum FAQ50.4 Running Servers with Cisco
·Router configuration to run server (port forwarding)
·PIX Firewall/ASA configuration to run server (port forwarding)
»Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practise
For illustration purposes, I use:
* Cisco 806 router (2 Ethernet ports)
* ISP provided static IPs
* ISP provided DNS
* PPPoE (have to put username and password to connect to ISP)
Note:
1) When your ISP doesn't use PPPoE
If your ISP does not use PPPoE, this configuration can be easily modified to suit other type of ISP connections (i.e. Static, DHCP, PPPoA). Check out other part of this forum's FAQ for such situation.
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
2) For servers other than FTP
Also for illustration purposes, I run FTP server behind the router. This configuration can be modified to also have web server, mail server, or just any public servers that run on specific TCP or UDP port/ports. When you run web server, you can replace the TCP port 20 and 21 with TCP port 80 (the standard web port). As for mail server, replace with TCP port 25 (the standard mail port). For other servers, confirm your software configuration of the TCP/UDP port it uses.
Background
Just a bit of explanation. E0 interface is for inside network (LAN interface). E1 is for outside (ISP or WAN physical interface). Dialer1 is for PPPoE (the "actual"/logical WAN interface). The 1.0.0.13 is ISP provided static IP address for the use of the server. This configuration example is for running FTP server, which uses the standard TCP port 20 and 21.
The LAN uses 10.10.10.0 network with 255.255.255.0 subnet for both servers and workstations. All servers within the LAN use static IP address. The router is configured as DHCP server to give out IP info (IP addresses, subnet mask, DNS) to workstations that are configured as DHCP client.
Basically I suggest that you deploy NAT (Network Address Translation) and/or PAT (Port Address Translation) to setup your own servers behind Cisco router. In this sample configuration, there will be two PAT in place between Public and Private IP addresses. One is dynamic PAT which uses single Public IP address for all local workstations. Another one is static PAT which uses single Public IP address for servers.
When using NAT/PAT, keep in mind that the Internet-accessible servers are seen from the Internet as their NAT/PAT-ed IP address (the Public IP address) and not the local IP address (not the Private IP address). This understanding is very important when you or someone need to test connectivity to the server and/or when you need to create filter (access list or ACL for short) to allow only certain incoming traffic from the Internet and block others.
Side Note:
For more info on NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practise
Instruments used in this illustration are pretty much standard for running your own servers. Please note that IP addresses, username, and password are changed. However, you could always modify the configuration to suit your situation.
This sample configuration assumes that you have a block of IP from ISP. There is a dedicated Public IP address for the router WAN interface (the Dialer1 interface) and another dedicated Public IP address for the server PAT IP address. If you only have a single Public IP address for both router WAN interface and server PAT IP address, there are several ways to configure the router.
One way is to use the same command as shown in sample configuration.
This one configuration way is suitable when you have static IP address from your ISP and you know exactly what the IP address is. In this case you have the 1.1.1.14 single static IP address for both the WAN interface and Public server IP address. Note that the command above shows the static PAT between Public IP address (the 1.1.1.14) and Private IP address (the 10.10.10.2).
When you are unsure which IP address you receive from the ISP, or when your Public IP address keep changing; then another way to configure the static PAT is following
With situation of dynamic IP address, at some point you still need to know the exact Public IP address you receive from your ISP for server connection testing and production time. To find out, you can issue show ip interface brief command on the router. You will then see the associated WAN interface Public IP address. Note that the command above shows the static PAT between the Dialer1 interface Public IP address (the one that shows on the show ip interface brief display) and Private IP address (the 10.10.10.2).
Static and Dynamic IP Addresses for LAN Machines
Typically, servers are having static IP addresses where regular workstations are having dynamic IP addresses. As mentioned, all LAN machines (including servers and workstations) are within 10.10.10.0/24 subnet. Let's say you dedicate 10.10.10.1 for router, 10.10.10.2 - 10.10.10.14 for servers, and the rest (10.10.10.15 - 10.10.10.254) for workstations.
This illustration assumes all workstations are receiving dynamic IP address (as DHCP client) from router which is acting as the LAN DHCP server; as indicated by the ip dhcp pool CLIENT command. Since router and servers are having static IP addresses, you exclude 10.10.10.1 - 10.10.10.14 from DHCP pool. This is where you need the ip dhcp excluded-address 10.10.10.1 10.10.10.14 command in place.
For routers that only have one Ethernet port
As mentioned, this sample configuration uses 2-Ethernet-port router. In cases that your router have one Ethernet port as LAN side and one DSL (ATM) port as WAN side, you could check out the following link:
Configuring Network Address Translation and Static Port Address Translation to Support an Internal Web Server
From the link, you can see how similar and how different the configurations are.
Tips
* You can use any computer, running any operating system with any generic FTP or other server software. There is no exclusiveness
* Make sure that the ports you plan to use are not used by other program.
* Also make sure that your ISP does not block the port you plan to use
* You can use generic port scanner software to find out if the port you plan to use is available
* Setup the FTP software to have the FTP server to use port 21 (standard port)
* FYI, port 21 only handle the connection and data is sent over port 20. With both ports PAT'd you will be able to use both PASV & PORT connections to your FTP server
* To verify the configuration, access the server from OUTSIDE network (i.e. from the Internet) and NOT from your own LAN. For this illustration, run an Internet browser (Internet Explorer, Netscape) and open »ftp://1.0.0.13:21
The Sample Configuration
Finally, here is the "show running-config" output.
To run Public Web Server, following is the command
To run Public Mail Server, following is the command
To run both Public Web and Mail Server that resides on different LAN machines, following is the list of commands.
where 10.10.10.2 is the Mail Server and 10.10.10.3 is the Web Server.
To run both Public Web and Mail Server that resides on different LAN machines and each has its own Public IP address, following is the list of commands.
where 10.10.10.2 is the LAN Mail Server and 1.0.0.12 is the Public Mail Server. Similarly, 10.10.10.3 is the LAN Web Server and 1.0.0.13 is the Public Web Server.
If you like to dedicate 1.0.0.12 only for 10.10.10.2 machine and to dedicate 1.0.0.13 only for 10.10.10.3 machine, then you can do Static NAT instead as follows.
With such Static NAT implementation, you should have inbound ACL on the router WAN interface or some Internet firewall to regulate which inbound Internet traffic that can access those dedicated Public IP addresses for better network security. Following is a sample.
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
Having Servers on DMZ
This time there is DMZ network of 10.10.10.0/24 where the Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as they are, therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL 100.
Following is the sample configuration.
More DMZ Sample Configuration
»Cisco Forum FAQ »Configure DMZ on routers
feedback form
by aryoba
last modified: 2008-11-05 15:42:46
»Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practise
For illustration purposes, I use:
* Cisco PIX Firewall 501 (2 Ethernet ports) running PIX OS version 6.3(3)
* ISP provided static IPs
* ISP provided DNS
* Static WAN IP addresses, provided by ISP
Note:
1) When your ISP doesn't use Static IP Address
If your ISP does not use Static IP Address, this configuration can be easily modified to suit other type of ISP connections (i.e. DHCP, PPPoE, PPPoA). Check out other part of this forum's FAQ for such situation.
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
2) For servers other than FTP
Also for illustration purposes, I run FTP server behind the router. This configuration can be modified to also have web server, mail server, or just any public servers that run on specific TCP or UDP port/ports. When you run web server, you can replace the TCP port 20 and 21 with TCP port 80 (the standard web port). As for mail server, replace with TCP port 25 (the standard mail port). For other servers, confirm your software configuration of the TCP/UDP port it uses.
3) For ASA or PIX Firewall running OS version 7.0 or later
PIX OS version 6.3(3) commands are pretty much similar to the ASA or PIX OS version 7.0 or later. Should you need more sample configurations from different angle or sample configurations on ASA or PIX running OS version 7.0 or later, keep reading to get the preliminary concept overview then proceed to the next discussion.
Background
Just a bit of explanation. E0 interface is for outside network (ISP or WAN physical interface). E1 is for inside (LAN interface).
The ISP-provided IP Block is 1.1.1.9/24 - 1.1.1.14/24, where 1.1.1.9 is for the Internet traffic, 1.1.1.13 is for the server, and 1.1.1.14 is the PIX WAN interface IP address. The default gateway (the ISP) is 1.1.1.1/24.
This configuration example is for running FTP server, which uses the standard TCP port 20 and 21. You need to permit inbound traffic from the Internet to your LAN by issuing the access-list INBOUND permit tcp any host 1.1.1.13 range 20 21 command.
The LAN uses 10.10.10.0 network with 255.255.255.0 subnet for both servers and workstations. All servers within the LAN use static IP address. The PIX is configured as DHCP server to give out IP info (IP addresses, subnet mask, DNS) to workstations that are configured as DHCP client.
Basically I suggest that you deploy NAT (Network Address Translation) and PAT (Port Address Translation) to setup your own servers behind Cisco PIX Firewall. In this sample configuration, there will be two PAT in place between Public and Private IP addresses. One is dynamic PAT which uses single Public IP address for all local workstations. Another one is static PAT which uses single Public IP address for servers.
When using NAT/PAT, keep in mind that the Internet-accessible servers are seen from the Internet as their NAT/PAT-ed IP address (the Public IP address) and not the local IP address (not the Private IP address). This understanding is very important when you or someone need to test connectivity to the server and/or when you need to create filter (access list or ACL for short) to allow only certain incoming traffic from the Internet and block others.
Specifically for firewall devices such as PIX Firewall and ASA, creating such ACL to regulate incoming traffic initiated from the Internet to local LAN is required. On this sample configuration, this ACL is called INBOUND (access-list INBOUND).
Side Note:
For more info on NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practise
Instruments used in this illustration are pretty much standard for running your own servers. Please note that IP addresses, username, and password are changed. However, you could always modify the configuration to suit your situation.
This sample configuration assumes that you have a block of IP from ISP. There is a dedicated Public IP address for the PIX WAN interface (the outside interface) and another dedicated Public IP address for the server PAT IP address. In this sample configuration, the network uses 1.1.1.13 IP address as the server Public IP address where the server inside Private IP address is 10.10.10.2.
Note that the static PAT is indicated by the static command where the dynamic PAT is indicated by the pair of global and nat commands. You can change the IP address either on the static, global, or nat commands to suit your need or situation.
If you only have a single Public IP address for both router WAN interface and server PAT IP address, then you use the following commands instead.
With situation of dynamic IP address, at some point you still need to know the exact Public IP address you receive from your ISP for server connection testing and production time. To find out, you can issue show ip address command on the PIX. You will then see the associated outside interface Public IP address.
Note that the static commands above show the static PAT between outside (WAN) interface Public IP address (the one that shows on show ip address command) and Private IP address (the 10.10.10.2).
Static and Dynamic IP Addresses for LAN Machines
Typically, servers are having static IP addresses where regular workstations are having dynamic IP addresses. As mentioned, all LAN machines (including servers and workstations) are within 10.10.10.0/24 subnet. Let's say you dedicate 10.10.10.1 for the PIX, 10.10.10.2 - 10.10.10.14 for servers, and the rest (10.10.10.15 - 10.10.10.254) for workstations.
This illustration assumes all workstations are receiving dynamic IP address (as DHCP client) from the PIX which is acting as the LAN DHCP server; as indicated by the dhcpd address 10.10.10.15-10.10.10.254 inside command. Since the PIX and servers are having static IP addresses, you exclude 10.10.10.1 - 10.10.10.14 from DHCP pool. This is why the 1st DHCP IP address within the pool is 10.10.10.15 and the last one is 10.10.10.254
Tips
* You can use any computer, running any operating system with any generic FTP or other server software. There is no exclusiveness
* Make sure that the ports you plan to use are not used by other program.
* Also make sure that your ISP does not block the port you plan to use
* You can use generic port scanner software to find out if the port you plan to use is available
* Setup the FTP software to have the FTP server to use port 21 (standard port)
* FYI, port 21 only handle the connection and data is sent over port 20. With both ports PAT'd you will be able to use both PASV & PORT connections to your FTP server
* To verify the configuration, access the server from OUTSIDE network (i.e. from the Internet) and NOT from your own LAN. For this illustration, run an Internet browser (Internet Explorer, Netscape) and open »ftp://1.0.0.13:21
The Sample Configuration
Finally, here is the "show running-config" output.
To run Public Web Server, following is the command list
To run Public Mail Server, following is the command list
To run both Public Mail and Web Server where each server resides on different LAN machines, following is the command list.
where 10.10.10.2 is the LAN Mail Server and 10.10.10.3 is the LAN Web Mail Server.
To run both Public Mail and Web Server where each server resides on different LAN machines and each server has its own Public IP address, following is the command list.
where 10.10.10.2 is the LAN Mail Server and 1.1.1.12 is the WAN (Public) IP address. Similarly, 10.10.10.3 is the LAN Web Mail Server and 1.1.1.13 is the Public IP address.
If you like to dedicate specific Public IP address for specific LAN machines, then you can implement Static NAT instead as follows.
where you dedicate 1.1.1.12 only for 10.10.10.2 machine and dedicate 1.1.1.13 only for 10.10.10.3 machine.
Having Servers on DMZ
This time there is DMZ network of 10.10.10.0/24 where the Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as they are, therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet).
Note that the access-list DMZ only applies when connections are initiated from DMZ machines. Any connections initiated from other network such as Inside and Outside won't be affected by this access-list DMZ.
Following is the sample configuration.
More Sample Configurations
As mentioned, PIX OS version 6.3(3) commands are pretty much similar to the ASA or PIX OS version 7.0 or later. Should you need more sample configurations from different angle or sample configurations on ASA or PIX running OS version 7.0 or later, you can check out the following links.
Run Mail Server on DMZ Network
PIX running OS 6.3 image
PIX/ASA running OS 7.0 image or newer
Run Mail Server on Inside Network
PIX running OS 6.3 image
PIX/ASA running OS 7.0 image or newer
Run Mail Server on Outside Network
PIX running OS 6.3 image
PIX/ASA running OS 7.0 image or newer
PIX Firewall - Router Combo
»Cisco Forum FAQ »Internet - PIX - Router - LAN
»Cisco Forum FAQ »Internet - Router - PIX - LAN
Some Discussions
»[Config] cisco 5520
feedback formby aryoba
last modified: 2008-11-17 13:09:51