RE: Cisco 2611 2nd thread

[Scott Stone <SStone@example.com>]

that would require setting up transparent bridging on the C2611.. which can
be done.. but I'm not sure it's the best idea.  He really should be using
NAT, not publicly routable IPs for the dial-in pool.  It doesn't scale, and
it presents security issues.

-----------------------------------------------------
Scott M. Stone <sstone@example.com>
Senior Technical Consultant - UNIX and Networking
Taos, the Sysadmin Company - Santa Clara, CA


-----Original Message-----
From: Sven Simon [mailto:sven@example.com]
Sent: Thursday, May 17, 2001 9:00 AM
To: tlug@example.com
Subject: Cisco 2611 2nd thread


First, thanks to all for the many hints and ideas. Now, it didn't make
life easier since many stuff came up I didn't think about.

Sure, it'd be nice to have a true stateful packet filter, but since this
guy could get along without any security for that long... :) Here's the
situation again. He owns a C-class address space, where he's put all his
machines and the dial-in accounts, meaning there are probably just a
bit more than 100 customers.


Now, the new 2611 is all he's gonna spend money on. No new uplink, no new
hardware, no new address space. I know we should actually totally
rearrange things there to get real security, but for now, a simple port
filter for his own machines will do.

So here's my idea, tell me if it's possible:
What if I connect all his servers to one ethernet interface on the 2611
and implement filters doing something like deny all (except for the
services he needs) x.x.x.0/28 and have all his servers an IP from x.x.x.1
to x.x.x.14 assigned, while on the other interface all the dial-in
servers with IPs higher than 17 would go, so they're not affected by the
filter rules.
How would it look, though, to access the DNS (for instance) from a dial-in
machine? They're residing on the same subnet (x.x.x.x/24 on the customer
machines) as the DNS, but on the other ethernet interface. Will they get
to the DNS without going thru the filters? Guess yes, since I won't
have to do no routing between the interfaces, only from them to the WAN
link, right?

Of course it would be less of a hack setting a netmask of 255.255.255.128
on all machines and have the servers put on one side and the dialins on
the other and assing different default gateways on each side, but this way
he'll run out of addresses fast on the dialin side, whereas it'd be a waste
having only about ten machines on the other side.

Don't gimmie too much like, it's not nice to do it this way, because I
know it isn't :)

SVEN

-----------------------------------------------------------------------
Next Technical Meeting:  Sat, May 12 13:30- 
Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan