|
Home > Archive > CCNP > April 2003 > external ip address to internal ip address
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
external ip address to internal ip address
|
|
|
| Im looking for some good "how to" documenation on a particular situation. Im trying to set an external IP address so that it points to an internal IP address. For example, I want to be able to allow users on the internet from home to be able to get to my server at work. I want to use my external ip address given to me to so that they can hit that from home. I am assuming I do this with the NAT command. Anyone know of any good documentation? Thanks. | |
|
| did you check the Cisco.com website?
I would probably set up a VPN if I were you, btw... | |
| anchor40 2003-04-16, 12:31 pm |
| Wow, Dude. You're scaring me.
Try and post that question on the CCSP formu and watch the flames fly!
Seriously, Freak nailed it. Go VPN. Any hole you open in a firewall is an opportunity for a bad-guy to exploit your network, no matter how tight you lock it down.
There are a wide range of basic to very complex VPN configs, all well documented on Cisco's website.
Always understand what the users are trying to accomplish, and if you're not up on the latest security, check for some of the known exploits from the security forums (CCSP here) or on Security websites, like CERT.org.
HTH...  | |
| freak 2003-04-16, 12:34 pm |
| quote:
Originally posted by anchor40
Wow, Dude. You're scaring me.
Try and post that question on the CCSP formu and watch the flames fly!
why, they're not a nice bunch?  | |
|
| Well guys, I have a firewall in place, and I am not using my cisco router as the firewall. That is why I ask. | |
| anchor40 2003-04-16, 8:43 pm |
| Ok, well, I was trying to be a little funny, and I realize it might not have come across that way, so let me be a little more helpful.
First, I recommend VPN with 3DES terminated on the inside router, not the perimetter firewall. Second choice would be DES, and third would be PPTP. While possible, and people do it a lot, I would rather keep sessions from terminating on my perimeter device - personal preference I suppose.
Since you have a true non-Cisco firewall (not a Cisco router running IOS FW), Authentication Proxy is out (upon successful username/password, a dynamic ACL is applied allowing the user in). It's basically the newer version of Lock-and-Key dynamic ACLs.
Anyway, if you can shed a little more insight into the user requirements (problem you're trying to solve), we might be able to come up with some more alternatives, but most likely, the VPN will be your best option.
The Cisco 3000 series are very easy to implement, and have a various number of licensed connections for small to very large installations. Some are "fixed" but others can scale, and best of all, the VPN client is free and very easy to use.
HTH... | |
| anchor40 2003-04-17, 7:00 pm |
| One last thing, Dude. The latest Cisco IOS, 12.2(8)T with the IOS Firewall feature set introduces Easy VPN. It's a way for smaller routers or the VPN software client to VPN into mid-larger routers, as well as PIX firewalls and VPN Concentrators/routers.
It's pretty slick - the bulk of the config is on the "server" side, the Cisco router behind your firewall (which would need an access list to allow the VPN protocols thru), and when the client authenticates, the server pushes the tunnel config down and builds a dynamic ACL for the tunnel.
Let us know how it turns out!
| |
|
| quote:
Originally posted by anchor40
One last thing, Dude. The latest Cisco IOS, 12.2(8)T with the IOS Firewall feature set introduces Easy VPN. It's a way for smaller routers or the VPN software client to VPN into mid-larger routers, as well as PIX firewalls and VPN Concentrators/routers.
It's pretty slick - the bulk of the config is on the "server" side, the Cisco router behind your firewall (which would need an access list to allow the VPN protocols thru), and when the client authenticates, the server pushes the tunnel config down and builds a dynamic ACL for the tunnel.
Let us know how it turns out!
that sounds great. Thanks for the tip. I am gonna look into it in my test lab. Great post! | |
| darthfeces 2003-04-17, 9:07 pm |
| wow hosting servers @ work !!!!!
(they (your company) must have taken the blue pill!)
be sure to name it honeypot .......
good advise guys.....
just came back from sans ny
firewall and perimiter protection
be very afraid | |
|
| You know guys, I think I am done with this forum. I asked you guys a simple question on how to do something and instead I get a bunch of other ideas and a few laughs at my expense. I already have a plan for my company and what I want to do. I didnt ask for your plans for my company, I simply asked a question on how to do something. That was all. | |
|
| Dude, you need to calm down. The number one thing an engineer should know is that we don't know it all, and that there is more in two heads than in one. I personally know my stuff, but I still learnt some valuable info from this thread, and that's what it's all about. If you can't understand that, maybe you're in the wrong industry... | |
|
|
| anchor40 2003-04-22, 12:21 am |
| Dude, I'm sorry if my humor irked you. It was half meant to be funny and half to get your attention. I guess at least the second half worked.
I've been designing networks for 11 years (3 SONET, 9 Cisco) in several industries, each with their unique security requirements or concerns.
In today's network world, we all have to be concerned with security. Have you ever been called by the FBI about an alleged vulnerability that they thought was being exploited to hack another network. Trust me - you don't! They thought a Citrix front-end was an open server! Ha! But boy did it take a whole lot of reassuring.
My point was that while what you were asking is technically possible, it would expose your company to risks you do not want to take - it's too hard to find a job right now.
If you want people to be able to access corporate resources from PCs at home after hours (or telecommuting), implement tough security now, and you won't have to worry (as much) about damage control from an exploited server.
There's a lot of folks with good info and advice here - please don't walk away from a good resource. We're all here because we like to learn, we like to help, or both!
| |
|
| Look, I do appreciate your knowledge and your willingness to help others. Many of us, if not all of us, need it at some time or another.
As for my project, Im just trying to get to a local intranet server from my home. I thought that, since I have a free external IP address, I thought I would try to map it to the internal IP address of the intranet site. I do have a firewall in place that I hope is going to prevent any unwanted activity.
Now, I do not have the experience that you obviously have. And I have learned a few things here. So, thanks for your help. I do appreciate it. |
|
|
|
|