topic Re: Configuring 7102dl in Switches, Hubs, and Modems

Configuring 7102dl

Sam Chhlang — Thu, 18 Jan 2007 03:21:03 GMT

I'm fairly new to networking so hopefully I can explain my problem so that you guys can understand. I'm trying to setup a 7102dl router to a T1 line. We have the T1 module installed. I also want to setup a DMZ for our web server. My question is, do I configure the T1 interface for internet access, the eth 0/1 interface for internal, and eth 0/2 for the DMZ? And to setup a DMZ, do I create a security zone for it? Also, will I have internet access by just using the firewall wizard through the web GUI? and do I need to create ACLs?

Re: Configuring 7102dl

Mohieddin Kharnoub — Thu, 18 Jan 2007 04:25:36 GMT

Hi

Your scenario will be like this:

- Create a DMZ in security Zones.
- Configure the T1 interface for internet access.
- Configure DMZ to have one of the Ethernet interfaces.
- Configure the other Ethernet interface for your LAN.

You need now to configure firewall polices for these 3 Zones, so from LAN to Internet you can use the wizard.

I'm not sure if you can configure DMZ access through the firewall wizard also, so i think you should do it from the CLI.

I believe that VPN to DMZ can be configured by the VPN wizard.

Good Luck !!!

Re: Configuring 7102dl

Olaf Borowski — Fri, 19 Jan 2007 11:43:31 GMT

Hi Sam,

Typically, you would use NAT to grant your "inside, secure" network access to the outside world. Using NAT (network address translation), only addresses from the inside network can access the outside (Internet). If you want people from the outside accessing servers on the inside, you have to create DMZs. Look at the documentation below for some examples.
ftp://ftp.hp.com/pub/networking/software/ProCurve-SR-IP-Firewall-Config-Guide.pdf.
The DMZ will allow users from the Internet to access your servers, but they cannot get to your internal network. Typically mail and webserver would be in a DMZ.

Hope this helps,

Olaf

Re: Configuring 7102dl

fernando sabio — Fri, 19 Jan 2007 14:26:52 GMT

olaf wrote:

"...If you want people from the outside accessing servers on the inside, you have to create DMZs"

Q1) can you not just allow, via one to one nat ACLs that allow particular ports to forward to particular internal IPs (ie: hit 207.1.1.15 on port 80 and you get 10.1.1.15 on the 'lan'

i ask b/c i have a question, i'll post seperately, and not hijack this one, but that part is pertinent to both (ie: if he want's to set up vpn or rdp to his 'lan')

thanks.
Fernando

Re: Configuring 7102dl

Olaf Borowski — Fri, 19 Jan 2007 15:11:36 GMT

Yes you can do what you propose. Drawback: If someone gains unauthorized access to you WEB server, they have access to your LAN. If the server is on a different network, you have more control meaning you can specify what can and cannot be done between your internal network and the DMZ network.

"have to" was maybe too strong. "Should" is better.

Re: Configuring 7102dl

Sam Chhlang — Thu, 25 Jan 2007 17:18:15 GMT

I am able to get internet access to work, but I cannot get HTTP requests from the outside to hit our web server. Here is the config, can someone take a look and tell me what I need to change?

ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to ProCurve SR
permit ip any any log
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host xx.xxx.xxx.106 eq www log
!
ip access-list extended wizard-pfwd-2
remark Port Forward 2
permit tcp any host xx.xxx.xxx.106 eq ftp log
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list wizard-pfwd-1 address 192.168.1.xxx
nat destination list wizard-pfwd-2 address 192.168.1.xxx
!
!
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.105
!

Re: Configuring 7102dl

Sam Chhlang — Thu, 25 Jan 2007 17:34:13 GMT

Edit:

The firewall wizard created two zones, a Public and a Private. Eventually I will create another zone (DMZ). But I just wanted to make sure that www requests are allowed in and forwarded to our web server.

Re: Configuring 7102dl

Lei.Ma — Thu, 25 Jan 2007 20:51:10 GMT

I can give you a sample. you can check it out.
sample:
ProCurve University San Francisco Network
192.168.1.0/24

Outbound public address: 16.1.1.1
Inbound HTTP global address: 16.1.1.2

config:

interface eth 0/1
ip address 192.168.1.1 255.255.255.0
access-policy Inside

interface ppp 1
ip address 16.1.1.1 255.255.255.248
access-policy Outside

ip policy-class Inside
nat source list MatchAll interface PPP 1 overload

ip policy-class Outside
nat destination list InWeb address 192.168.1.10
discard list MatchAll

ip access-list standard MatchAll
permit any

ip access-list extended InWeb
permit tcp any host 16.1.1.2 eq 80