NAT'ing a new web server?

[Guest_imported]

Hey all,
Forgive the question but my router was set up for me and it runs great so I dont usually have to get into it, enough about my lack of router experieince her is my dilema:
I have a new website that I am putting up to be served by my AS/400. The site works fine (now!) internally, but I know I need to map my internal IP to a valid external IP. I have asked my ISP to set a DNS entry to resolve [PUBLIC IP] to

http://www.mycompanyname.com

I entered this at the Conf term line:
ip nat inside source static [private IP] [public IP]

I do have a firewall internal to the router (2610) I know I need to open port 80 to that NAT'd address but I have not been succesful at it. This is what I tried:
Access-list 101 permit tcp any host [public IP] eq www

Still waiting for DNS to propogate (sp?) so that may be the issue right now. I just need to know if there is anything else I should be aware of? BTW, I have a lot of entries on access list 101 and when I try to take out just the line i added by typing "no access-list 101 and all the rest" I knock out the entire 101 access list. How do I take out just the entry I added? Sorry for all the questions! Thanks All!

Alex

 

[yizhar]

HI.

Isn't your FireWall doing the NAT stuff between the internal and external IP addresses?
If so, then the changes should be at the FireWall and not at the router at all.

Provide more info about your network to get better answers.
What kind of FireWall?
Is it doing NAT currently?
Is the router configured for NAT currently?

Anyway, if you don't know how, it is better to ask your ISP or other experienced person to do the job with you.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Guest_imported]

Sorry, I must not have said it correctly. I have a Cisco 2610 with a RAM upgrade to handle doing a firewall and a VPN solution from within the routers IOS itself. Now I would just like to open the Webserver to the internet. I have been given a Public IP to link to it. Basically what I am trying to do now is simply NAT the Public IP that was given to me with the private IP that it has on my network. The syntax I am using is on my original post. I was hoping someone out there could tell me if I am using the proper syntax and commands to accomplish the job.

Thanks Again,
Alex

 

[ChrisAC]

You should have an internal firewall behind your router (like a PIX or Firewall-1) on which you can set up a static map entry .. public IP address maps to privite IP address!!

You really shouldn't be doing this on a router! If you want to host a web site, protect it with a firewall, NOT a router!!

Chris.

 

[wybnormal]

Ahhh.. A firewall IS a router by a broad definition. It takes incoming packets and "routes" them base on rules at layer 3... but there are some firewalls that sort at layer 4. Besides.. when you by a PIX Firewall, it's a PC in a can running the IOS router core with enhancements. Access lists, NAT etc is all there.

Back to the question at hand...

Here is a sample of static NATing for a website that I do myself. IPs have been changed to protect the guilty ;-)

interface Ethernet0
ip address 192.168.50.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Ethernet1
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no cdp enable
!
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.5.20 80 192.168.1.2 80 extendable
!
access-list 1 permit 192.168.5.0 0.0.0.255

MikeS
Find me at

http://www.packetattack.com

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[ChrisAC]

The definition of a firewall can include a packet filtering router, a piece of software running on a server (FW-1, guardian etc..), a firewall in a box (PIX), or indeed mixture of external/internal routers and bastion hosts!!

Yes, you can apply access-lists and NAT/PAT configurations on routers and they do provide some protection, but if I were protecting my website, I wouldn't do it with a router. If my ISP were protecting my web site with a router and some access lists I'd be pretty p*$$ed off!!

me .. "Hello ISP!! Why is there no firewall protecting the web server??"

ISP .. "Errr, it's protected by the router!!"

me .. "Well, that's okay then!"

It may be a bit pedantic in this case, but you see my point!! It all depends on how you define a firewall!!

So, in reference to the original post, you have a choice:

1. yizhar was correct in suggesting that the security should be a function of a proper firewall.

2. wybnormal was correct in suggesting that some firewall features can be implemented on your router.

Both are valid, and it's up to you to decide how you want to implement your security policy. What's most important is that you have a policy, a definate plan as to how you intend to protect your web site! As you become more experienced you will learn that there is no right or wrong answer (well sometimes you can be way off the mark) to any problem. There is usually a number of solutions and it's up to you to decide which best suits your situation.

If you decide to implement this on your router then there are many good configuration examples on the Cisco web site.

Good luck.

Chris.

 

[Guest_imported]

First off thank you all for your help. Chris had I been part of the purchasing process I would have bought a hardware firewall, in fact that is what I suggested but being "only a PC Tech", as they put it- I was not part of the process. Now as the Admin I am paying for mistakes made by the ISP that recommended and implmented it. Implememnting a new firewall and VPN would not be feasable at this time.
Whatever, I have what I have and must try to make the best of it. MikeS I appreciate your time and help. As it turns out the problem was a combination of rights on the AS/400's internal web server and the router/firewall/VPN (!) box.

Alex