• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Static IP address via Cisco router question...

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
A 1720 can do access lists just like any other Cisco router...there's no reason he can't only allow the ports and services that he wants to allow. Not only that, but he can enable TCP/IP filtering on the servers themselves to ignore all traffic except to certain ports.

As a side note...how exactly do you get 8 usable static IPs? If you've got a 29 block, that's 8 IPs, but only 6 are usable...and if you've got a 28 block, that's 16 total IPs, 14 of which are usable...

Hrm.

Best thing to do? Set up a one-to-one NAT for each IP address you need to route internally.
 
Originally posted by: spidey07
Originally posted by: mcmilljb
Originally posted by: spidey07
mcmilljb,

As drawn your servers are wide open on the internet, not a good idea. Some kind of firewall or port specific NAT device really needs to be used.
Click to expand...

It's not wide open.

T1-> 1720-> Switch-> other devices

You have the 1720 router between your Internet connection and the servers. If you give a device a public ip address, it's open to the whole internet regardless. He can use NAT on the 1720 to map them to the servers just on ip address and port 80 if he wants, but he lose speed due to the router. It is a bit of trade of speed and security. I'm just saying he does not have to have linksys between the 1720 and the web servers.
Click to expand...

The 1720 is just doing regular routing unless it is a really unusual configuration from the providers perspective given that this is a managed internet service (MIS from AT&T is the product offering).

there is still no answer on what the fastE address is of that 1720. That's the key. I SEVERELY doubt it is a private address. OP - without knowing whether that address is public or private nobody can offer any help. But DO NOT put hosts directly off of the 1720 unless you understand what you are doing.

Oh, and if you haven't signed a contract yet then they should be bending over backwards to get you in touch with a tech that will guide you through everything. If they don't then tell them you do not want.
Click to expand...

OK I see what you're seeing about the 1720 now. You are considering the 1720 as part of the ISP still. He could pick up a router to put between the 1720 and the switch like this:

T1-> 1720-> Router-> Switch -> rest of the network.

I just know I would not run my business off a linksys router between the 1720 and the rest of the network. Also if you do not get any administrative control over the 1720, you might want that router so you can have plenty of configuration options. Also I am curious if they are just giving you just 8 ip addresses or 3 bits off a subnet mask like /29 in which case you are not getting 8 ip address but rather 6. Definitely talk to a tech so you can get the full facts about the setup.
 

I'll talk to a tech tomorrow, the saleswoman told my boss 8 static, public IP addresses, I don't have any more details at the moment than that.

I'm not necessarily glued to a Linksys router if anyone else has any other, better recommendations which are not ridiculously expensive.

This was sort of my original plan: T1-> 1720-> Router-> Switch -> rest of the network ... but then everyone here seemed to think that wouldn't be a good idea/couldn't be done...?
My initial thought was that this would, in fact, give me the most control over things and make things easiest to admin... is it do-able? What would I need to setup?

How do I get that router to handle all 8 (or 6) public IP addresses... or will it just work? Do I have to worry about double NATing all of the stuff inside the network then?
 
Honestly, there's no reason to put the second router in there...except possibly to NAT your workstations behind.

If the 1720 is simply set to forward those IPs from WAN side to LAN side, your best bet would be to place your servers here and simply statically assign them the relevant IP addresses. Then use your Linksys router to NAT your workstations.

Public servers are public servers and you need to make sure they are properly secured from the inside. All of the NATing and PATing and firewalls in the world won't help you if you have a gaping security hole in the software application you're trying to make public. If that's secure, then you should have nothing to worry about with proper access lists.
 
And what is it, exactly, that you would do?

Purchase a PIX and set up exactly the same access lists that would be set up on the 1720, allowing exactly the same kind of traffic to reach the box?

Or, better yet, let's NAT the servers behind the Linksys and then forward the ports...yeah...that'll do exactly the same thing as the previous two.

I still fail to see why you refuse to allow a public server to be public. If port 80 needs to be open, port 80 will be open regardless of how many layers of routers and firewalls you put the server behind. If the server itself is properly secured, you shouldn't need anything other than ACLs configured.
 
Originally posted by: drebo
And what is it, exactly, that you would do?

Purchase a PIX and set up exactly the same access lists that would be set up on the 1720, allowing exactly the same kind of traffic to reach the box?

Or, better yet, let's NAT the servers behind the Linksys and then forward the ports...yeah...that'll do exactly the same thing as the previous two.

I still fail to see why you refuse to allow a public server to be public. If port 80 needs to be open, port 80 will be open regardless of how many layers of routers and firewalls you put the server behind. If the server itself is properly secured, you shouldn't need anything other than ACLs configured.
Click to expand...

what ACL? from what device? the 1720 isn't managed by him (nor should it be considering his level of competence shown in this thread.) he wants a 'cheap' router to host publicly accessible sites for a business, that is an oxymoron...

It sounds like he is the web guy tasked with the job of a network engineer and is doing his best to figure it out while the peanut gallery is shouting instructions at him...

He knows he has a cisco device (1720 series router) that he doesn't manage (ATT does.) that device is out of his control, he doesn't know what internal IP addresses he is getting from the device, or how he is getting them, which we as the peanut gallery need to know to be able to tell him what to do next.

To the OP, your company is willing to splunk the cash for a T1 line and installation they should be prepared to spend the money to properly configure the internal network. Setting up proper web services is not something you do on the cheap and stay sustainable as a company, it sounds like you are over your head and might consider hiring a contractor to do things for you, the right way.
 

Narzy: I never said I'm tied to the Linksys router. In fact, I asked for suggestions on what I should get instead. Do you have any suggestions? I'm not looking to do this super cheap, I'm looking to do it: a) Correctly, b) Maintainably, c) while not going ridiculously over budget and spending $5k on a router. I'll ask again... do you have any suggestions on a better choice of router so I can look into it?

Talking to AT&T shortly so I should have some more answers...
 
Spidey, AT&T will perform any custom configuration he needs on that router. I've worked with them before in a managed environment.

If, indeed, he wishes to purchase a new router to go behind the other, then yes, I would recommend something a little more powerful than a Linksys router.

But he doesn't. He simply needs to call AT&T and tell them what it is he wants to do.

What ACL? Well, for starters... permit ip any host xxx.xxx.xxx.xxx eq 80 ...would get the job done. Apply that to the inbound WAN interface and the router will implicity deny all other traffic to that host.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top