network design - advise needed

[anton1980]

Hi!

I am trying to setup a network here and I am quite stumped. Will appreciate any help you can offer. Thank you!

What I have:
- unmanaged switch
- firewall (with a router)
- 2 web servers
- a class C network assigned by ISP (let's say 10.10.10.0)

What I need:
- connect web servers to the Internet (must have external IPs)
- protect the servers by firewall (close all ports except ftp, smtp, http, bind)
- connect the web servers into a local network

So far I have connected the web servers to the switch and the switch to the uplink. It works! But how do I introduce the firewall? If I add it between the switch and the uplink the servers won't have the external IPs anymore :(

[lazareth1]

Whats the make and model of everything you have there on the list?

[anton1980]

hi!

switch: Cisco Catalyst Express 500
firewall: Cisco ASA 5505

i already got advised on another forum to put the firewall between the uplink and the switch and then create a local network for the severs, using NAT.

[af3]

This sounds like a test question.

[lazareth1]

They're right about connecting it in between the switch and the uplink, but as you said using NAT etc means you would not use the external IP addresses for the servers.

I would use a PIX firewall without the routing function so your webservers could use the public IP addresses.

[af3]

Is there such a notion in a router (maybe commercial grade) of two or more servers using the same port, and using cross-server communication to determine which server should reply to the request? I am just curious! :)

[lazareth1]

Quote:

Originally Posted by af3

Is there such a notion in a router (maybe commercial grade) of two or more servers using the same port, and using cross-server communication to determine which server should reply to the request? I am just curious! :)

Wll If ya wanted to make a server replay to a specific request you would use port forwarding setup on the router to forward certain requests to the server via it's IP address. I'm not quite sure what you mean by your cross over scenario, but it seems more complicated than doing what I just stated.

[krishananda]

Cisco CE 500 switches are managed switches dude, they only use web config and not console style config.
What module you have in the ASA? if you have the additional 4 ports ethernet module you can just plug the servers right to the ASA and make them part of the DMZ.
If you don't, just make VLAN for servers only and configure the VLAN on both the ASA and the switch.

You can do it like this:

router ----> ASA -----> switch -----> workstation
-----> servers

or like this:

router -----> ASA -----> switch -----> workstation
-----> servers