network design questions

[Guest]

Hello,

Our setup currently is as follows:

We have 30 computers behind a Cisco 2624(Sorry might be a different number). The router is using NAT opening up specific ports as needed. We have basically been using the router as our firewall. According to our ISP they are suggesting we remove the NAT and add a firewall inside the LAN because the router seems to be getting bogged down with all of the NAT it has to do.

Questions:

1. Can we make a win2k machine a router/gateway? Any links or
help files on this?

2. What is the advantage/disadvantage of only putting a firewall
on a gateway and not on all computers?

3. Is there a better way to do all of the above.

I apologize if there are naive questions our sys admin quit and
I am just a programmer trying to get some of the questions answered to move
forward before they hire someone. Thanks in advance.

John

 

[Keith W. McCammon]

1. Can we make a win2k machine a router/gateway? Any links or

help files on this?

You can use RRAS, which is not a security solution. Or, you can use ISA.

2. What is the advantage/disadvantage of only putting a firewall
on a gateway and not on all computers?

The advantage is that you only have to manage one firewall, and not 30. The
disadvantage is that everyone has to adhere to the same set of rules.
However, this is very rarely a problem, in my experience.

3. Is there a better way to do all of the above.

Placing a firewall behind your router is pretty standard. You should also
use a very basic ACL on the router to permit only valid ingress/egress
addresses. If you really want to tighten up a low-traffic environment, you
can use extended lists on the router to only permit used ports. That should
help reduce the amount of garbage with which the firewall has to deal.

 

[Steve Duff [MVP]]

I am VERY skeptical that a 2600 would be getting "bogged down" by
NAT translation and typical access-list filtering -- at least on anything up to
~T1 speeds. (If you also are running IPSec or other CPU-intensive
operations on that router that's a different story as would be OC-3
speeds where a 2600 is not appropriate anyway.) And make sure you
have ip route-cache turned on.

As Keith suggests, you may well want to look at a separate
DMZ firewall, but if the only reason is because your ISP alleges
the 26xx isn't doing the job, I doubt very much that turning off address
translation will make much of a difference.

The first thing to consider if you are dropping WAN packets
(this is the only way I can think of that your ISP would know you
are "bogging down") -- and the ILEC is showing clean service
is to add memory (DRAM, not flash). Also check for spurious packets
or DOS attacks.

Personally, my experience is that the vast majority of these
problems turn out to be on the carrier side. Try running some
rate tests when users are off-LAN with and without access lists and
NAT to see what the line headroom actually is. Do this before you
go on a shopping spree.

Steve Duff, MCSE
Ergodic Systems, Inc.

Hello,

Our setup currently is as follows:

We have 30 computers behind a Cisco 2624(Sorry might be a different number). The router is using NAT opening up

specific ports as needed. We have basically been using the router as our firewall. According to our ISP they are suggesting we
remove the NAT and add a firewall inside the LAN because the router seems to be getting bogged down with all of the NAT it has to
do.

 

[John]

Steve,

Thanks for your thoughts and suggestions. Another reason is
supposedly that a VPN cannot be setup using NAT on this router, unless we
opened it up one to one which I prefer not to do due to security. I am
thinking they are looking for the easy out and trying to pass the buck but I
am not a network admin guy, he found a better job and I am trying to learn
as I go. The VPN had port 1723 open and protocol 47 but it wouldn't work
kept giving the client a 721 error. Once it was one to one it was working.
Below is a list of what is on the NAT this is using 8 WAN ips on a T1. So
what your are saying is the moving the NAT from the router to a win2k
gateway wouldn't do anything better? If I leave it as is where would the
firewall be installed on all computers? Thanks in advance.

LAN IP WAN PORT
192.168.1.39 21
192.168.1.35 25
192.168.1.34 25
192.168.1.36 25
192.168.1.24 80
192.168.1.33 80
192.168.1.32 80
192.168.1.37 80
192.168.1.38 80
192.168.1.57 80
192.168.1.57 81
192.168.1.35 110
192.168.1.34 110
192.168.1.36 110
192.168.1.56 389
192.168.1.56 522
192.168.1.30 1433
192.168.1.31 1433
192.168.1.56 1503
192.168.1.56 1720
192.168.1.21 1723
192.168.1.56 1731
192.168.1.14 5631
192.168.1.14 5631
192.168.1.14 5632
192.168.1.14 5632
192.168.1.1

192.168.1.57 25
192.168.1.57 110

I am VERY skeptical that a 2600 would be getting "bogged down" by
NAT translation and typical access-list filtering -- at least on anything up to
~T1 speeds. (If you also are running IPSec or other CPU-intensive
operations on that router that's a different story as would be OC-3
speeds where a 2600 is not appropriate anyway.) And make sure you
have ip route-cache turned on.

As Keith suggests, you may well want to look at a separate
DMZ firewall, but if the only reason is because your ISP alleges
the 26xx isn't doing the job, I doubt very much that turning off address
translation will make much of a difference.

The first thing to consider if you are dropping WAN packets
(this is the only way I can think of that your ISP would know you
are "bogging down") -- and the ILEC is showing clean service
is to add memory (DRAM, not flash). Also check for spurious packets
or DOS attacks.

Personally, my experience is that the vast majority of these
problems turn out to be on the carrier side. Try running some
rate tests when users are off-LAN with and without access lists and
NAT to see what the line headroom actually is. Do this before you
go on a shopping spree.

Steve Duff, MCSE
Ergodic Systems, Inc.

different number). The router is using NAT opening up

specific ports as needed. We have basically been using the router as our

firewall. According to our ISP they are suggesting we

remove the NAT and add a firewall inside the LAN because the router seems

to be getting bogged down with all of the NAT it has to

 

[Keith W. McCammon]

Thanks for your thoughts and suggestions. Another reason is

supposedly that a VPN cannot be setup using NAT on this router, unless we
opened it up one to one which I prefer not to do due to security. I am

That is, in part, correct. Certain VPN schemes do not work with NAT (I.e.,
transport mode IPSec schemes). Changing from PAT to 1-to-1 corrects this in
most cases, as does changing the scheme to use ESP in tunnel mode.

thinking they are looking for the easy out and trying to pass the buck but I
am not a network admin guy, he found a better job and I am trying to learn
as I go. The VPN had port 1723 open and protocol 47 but it wouldn't work
kept giving the client a 721 error. Once it was one to one it was working.

Transport mode, in all liklihood.

Below is a list of what is on the NAT this is using 8 WAN ips on a T1. So
what your are saying is the moving the NAT from the router to a win2k
gateway wouldn't do anything better? If I leave it as is where would the
firewall be installed on all computers? Thanks in advance.

"Better" in this case is relative. If you have the resources, it's always
better to layer your defenses. Plus, most firewalls will give considerably
more flexibility and functionality with respect to NAT, VPN, etc. than a
router.

 

[Jeff Cochran]

Hello,

Our setup currently is as follows:

We have 30 computers behind a Cisco 2624(Sorry might be a different number). The router is using NAT opening up specific ports as needed. We have basically been using the router as our firewall. According to our ISP they are suggesting we remove the NAT and add a firewall inside the LAN because the router seems to be getting bogged down with all of the NAT it has to do.

Questions:

1. Can we make a win2k machine a router/gateway? Any links or
help files on this?

Sure. Not a smart way to go, but you can do it. You may need
Advanced Server to do the NAT'ing you want, or use a product such as
WinRoute, or better, ISA.

2. What is the advantage/disadvantage of only putting a firewall
on a gateway and not on all computers?

Just because it's on a gateway is no reason you can't put personal
firewalls on systems. But you don't want a personal firewall on a
gateway system. You want a firewall product designed for the task, or
a hardware-based firewall. And you still should use ACL's on your
router.

3. Is there a better way to do all of the above.

ACL's on the router blocking most access outright. Firewall/proxy
system doing NAT for internal users, with a DMZ for external access
systems such as web servers and outside mail servers.

I apologize if there are naive questions our sys admin quit and
I am just a programmer trying to get some of the questions answered to move
forward before they hire someone. Thanks in advance.

For a programmer, you ask pretty good questions.

 

[Guest]

Keith,

So if I am to understand correctly what we would do is the following:

1. Make the cisco router all one to ones
2. Point the public ips coming from the cisco router to our win 2k server that has a good firewall(Any suggestions)
3. Put NAT on the win 2k router to filter specifc ports to point to specific lan ips
3. Change all of the workstations to point to the new gateway opposed to the cisco firewall.

Please advise on if this is a viable solution or if there is a better alternative. I truly appreciate the help so far.

John

 

[Guest]

Keith,

Basically I am looking for a way to have NAT for the ports we need open plus the VPN and use the cisco router and incorporate a firewall. Any suggestions?

John

 

[Keith W. McCammon]

Keith,

So if I am to understand correctly what we would do is the following:

1. Make the cisco router all one to ones
2. Point the public ips coming from the cisco router to our win 2k server

that has a good firewall(Any suggestions)

Firewall-1 is good , but expensive. Microsoft's ISA would probably work
well for you, since it has tight integration with AD, Windows networking,
VPN services, etc.

3. Put NAT on the win 2k router to filter specifc ports to point to specific lan ips
3. Change all of the workstations to point to the new gateway opposed to the cisco firewall.

Please advise on if this is a viable solution or if there is a better

alternative. I truly appreciate the help so far.

John

That is a perfectly viable (and very common) solution.