DNS & Firewall - Best Practice
I am using an ASA to segment my internal network. The device is currently monitoring traffic between the networks. I'll tighten it down in a week.
The traffic that is passing is logged via IP, of course, except for the hosts that I've entered in with the "NAMES" command. Why are firewalls not able to get their resolution info from an internal DNS server? Would it be a security flaw? I ask, because I think it would be more accurate to use DNS, rather than enter countless "NAMES".
thanks in advance...
Currently ASA/PIX is not designed to resolve IP to URL or vice-versa. This is a good feature though and developers are working on it. We hope to see this coming in future releases. Not sure when. I would recommend you to get in touch with your accounts team if you have one. They can directly get in touch with developers and probably raise the severity of this request.
Regards,
Vibhor.
Similar Messages
-
DNS Configured-Best Practice on Snow Leopard Server?
How many of you configure and run DNS on your Snow Leopard server as a best practice, even if that server is not the primary DNS server on the network, and you are not using Open Directory? Is configuring DNS a best practice if your server has a FQDN name? Does it run better?
I had an Apple engineer once tell me (this is back in the Tiger Server days) that the servers just run better when DNS is configured correctly, even if all you are doing is file sharing. Is there some truth to that?
I'd like to hear from you either way, whether you're an advocate for configuring DNS in such an environment, or if you're not.
Thanks.Ok, local DNS services (unicast DNS) are typically straightforward to set up, very useful to have, and can be necessary for various modern network services, so I'm unsure why this is even particularly an open question. Which leads me to wonder what other factors might be under consideration here; of what I'm missing.
The Bonjour mDNS stuff is certainly very nice, too. But not everything around supports Bonjour, unfortunately.
As for being authoritative, the self-hosted out-of-the-box DNS server is authoritative for its own zone. That's how DNS works for this stuff.
And as for querying other DNS servers from that local DNS server (or, if you decide to reconfigure it and deploy and start using DNS services on your LAN), then that's how DNS servers work.
And yes, the caching of DNS responses both within the DNS clients and within the local DNS server is typical. This also means that there is need no references to ISP or other DNS servers on your LAN for frequent translations; no other caching servers and no other forwarding servers are required. -
Setup internal and external DNS namespaces best practice
Is external name space (e.g. companydomain.com) and internal name space (e.g. corp.companydomain.com or companydomain.local) able to run on the same DNS server (using Microsoft Windows DNS servers)?
MS said it is highly recommended to use a subdomain to handle internal name space - say corp.companydomain.com if the external namespace is companydomain.com. How shall this be setup? Shall I create my ADDS domain as corp.companydomain.com directly
or companydomain.com then create a subdomain corp?
Thanks in advanced.
William Lee
Honf KongIs external name space (e.g. companydomain.com) and internal name space (e.g. corp.companydomain.com or companydomain.local)
able to run on the same DNS server (using Microsoft Windows DNS servers)?
Yes, it is technically feasible. You can have both of them running on the same DNS server(s). Just only your public DNS zone can be published for external resolution.
MS said it is highly recommended to use a subdomain to handle internal name space - say corp.companydomain.com
if the external namespace is companydomain.com. How shall this be setup? Shall I create my ADDS domain as corp.companydomain.com directly or companydomain.com then create a subdomain corp?
What is recommended is to avoid having a split-DNS setup (You internal and external DNS names are the same). This is because it introduces extra complexity and confusion when managing it.
My own recommendation is to use .local for internal zone and .com for external one.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
DNS best practice in local domain network of Windows 2012?
Hello.
We have a small local domain network in our office. Which one is the best practice for the DNS: to setup a DNS in our network forwarding to public DNSs or directly using public DNS in all computers including
server?
Thanks.
SelimHi Selim,
Definately the first option "setup a DNS in our network forwarding to public DNSs " and all computers including server has local DNS configured
Even better best practice would be, this local DNS points to a standalone DNS server in DMZone which queries the public DNS.
Using a centralized DNS utilizes the DNS cache to answer similar queries, resulting in faster response time, less internet usage for repeated queries.
Also an additional DNS layer helps protect your internal DNS data from attackers out in the internet.
Using internal DNS on all the computer will also help you host intranet websites and accessibility to them directly. Moreover when you are on a AD domain, you need to have the computers DNS configured properly for AD authentication to happen.
Regards,
Satyajit
Please “Vote As Helpful”
if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you. -
2K8 - Best practice for setting the DNS server list on a DC/DNS server for an interface
We have been referencing the article
"DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers"
http://technet.microsoft.com/en-us/library/dd378900%28WS.10%29.aspx but there are some parts that are a bit confusing. In particular is this statement
"The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain
controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller.
The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.”
The paragraph switches from using the term "its own IP address" to "loopback" address. This is confusing becasuse technically they are not the same. Loppback addresses are 127.0.0.1 through 127.255.255.255. The resolution section then
goes on and adds the "loopback address" 127.0.0.1 to the list of DNS servers for each interface.
In the past we always setup DCs to use their own IP address as the primary DNS server, not 127.0.0.1. Based on my experience and reading the article I am under the impression we could use the following setup.
Primary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Tertiary DNS: 127.0.0.1
I guess the secondary and tertiary addresses could be swapped based on the article. Is there a document that provides clearer guidance on how to setup the DNS server list properly on Windows 2008 R2 DC/DNS servers? I have seen some other discussions
that talk about the pros and cons of using another DC/DNS as the Primary. MS should have clear guidance on this somewhere.Actually, my suggestion, which seems to be the mostly agreed method, is:
Primary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Tertiary DNS: empty
The tertiary more than likely won't be hit, (besides it being superfluous and the list will reset back to the first one) due to the client side resolver algorithm time out process, as I mentioned earlier. Here's a full explanation on how
it works and why:
This article discusses:
WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
The DNS Client Side Resolver algorithm.
If one DC or DNS goes down, does a client logon to another DC?
DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
Client side resolution process chart
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-
logon-to-another-dc-and-dns-forwarders-algorithm.aspx
DNS
Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx
The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
http://support.microsoft.com/kb/320760
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
I agree with this proposed solution as well:
Primary DNS: Locally assigned IP of the DC (i.e. 192.168.1.5)
Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Tertiary DNS: empty
One thing to note, in this configuration the Best Practice Analyzer will throw the error:
The network adapter Local Area Connection 2 does not list the loopback IP address as a DNS server, or it is configured as the first entry.
Even if you add the loopback address as a Tertiary DNS address the error will still appear. The only way I've seen this error eliminated is to add the loopback address as the second entry in DNS, so:
Primary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
Secondary DNS: 127.0.0.1
Tertiary DNS: empty
I'm not comfortable not having the local DC/DNS address listed so I'm going with the solution Ace offers.
Opinion? -
IronPort ESA best practice for DNS servers?
Hello!
Is there a best practice for what servers should be used for the Cisco IronPort DNS servers?
Currently when I check our configuration, we have set it to "Use these DNS servers" and the first two are our domain controllers and last two are Google DNS.
Is there a best practice way of doing this? I'm thinking of selecting the "Use the Internet's Root DNS Servers" option as I can't really see an advantage of using internal DC's.
Thoughts?Best practice is to use Internet Root DNS Servers and define specific dns servers for any domain that you need to give different answers for. Since internal mail delivery is controlled by smtproutes using internal dns servers is normally not required.
If you must use internal dns servers I recommend servers dedicated to your Ironports and not just using servers that handle enterprise lookups as well. Ironports can place a very high load on dns servers because every outside connection results in multiple dns lookups. (forward, reverse, sbrs)
If you don't have enough dns horsepower you are susceptible to a DOS attack either through accident or design. If the Ironports overload your internal dns servers it can impact your entire enterprise. -
CAS array internal DNS IP address best practice
Hi, Just a question about a best practice approach for DNS and CAS arrays.
I have an Exchange 2010 Org. I have two CAS/HUB servers and two MBX servers. My external DNS (mail.mycompany.biz) host record points to a public IP address which is NAT'd to the internal IP address of my NLB CAS cluster. I maintain a split brain
DNS. Should the internal DNS entry for mail.mycompany.biz also point to the public IP address or should it point to the internal IP address of the NLB cluster?A few comments:
The reason you have split DNS is to do exactly these sort of things: inside users hit the inside IP and outside users hit the outside IP. You'll have to look at your overall network design to see if it makes sense for users to take this shortest route
to the services, or if there is value in knowing all users simply take the same path.
You should not be using the same DNS name for your web services (e.g. OWA) as you are for your CAS array. This can cause very long connection delays on Outlook clients, not to mention overall confusion in your design. Many orgs will use something
like "outlook.domain.com" for the Client Access Array and "mail.domain.com" for the web services. Only the later of these two need to be exposed to the internet.
Keep in mind, Exchange 2013 dramatically changes this guidance. There is no more CAS array, and the
recommended design is to use dedicated namespaces for each web service.
Mike Crowley | MVP
My Blog --
Planet Technologies -
Best practice DNS in VPN environment for Lync2013 clients
So I do have those site2site VPNs to connect the small branch offices to the main office. Internal DNS makes sure, that the branch offices can acess all the servers/services in the main office with their domain.local namespace.
In such a scenario will the Lync2013 clients connect through the VPN to the internal sites due to both lyncdiscover and lyncdiscoverinternal being available?
Wouldn't it cause way less burden on the VPN routers if clients would simply go out to the internet and connect from the external side so all the Lync traffic does not have to be stuffed through the VPN pipe? I dont see the point to encrypt the traffice
once more.
Thanks for your suggestions about best practices!
HSTHi,
When users connect to the corporate network using a VPN client, Lync media traffic is sent through the VPN tunnel. This configuration can create additional latency and jitter because media traffic must pass through an additional layer of encryption and
decryption. The issue is compounded when the VPN concentrator is busy.
If you want to connect Lync server from public network you need to deploy an Edge server.
The solution to force VPN traffic through the Edge Servers must allow external Lync clients connected through VPN, you can refer to the part of "Solution Configuration" in the link below:
http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Hello,
we currently have an issue regarding DNS in a multiple Domain Forest.
first of all, in the forest there are 5 Domains (names changed):
dom1.domain.org
sub.dom1.domain.org
dom2.domain.org
dom1.url.de
dom.de
As you see, a forest full of Domains not matching ;-)
We also have multiple sites, and as per network requirements, replication is made trough Domain: dom1.domain.org
All other Domains replicate only with this one.
The DNS is currently set up as follows:
Each Domain Controller holds its own domain as primary AD integrated Domain in DNS (Domain wide repl.).
All others are set up as Forest Wide AD integrated Stubs.
Each startup we get Event 4515 on the DCs, that a Zone is available twice.
So, I have to troubleshoot this infrastructure now.
Can you tell me, what is best practice here to set up DNS correctly with less replication traffic as possible?
Best regardsBy Default DNS Zone replication Scope is Domainwide but except _MSDCS Zone . _MSDCS Zone replication should be forest wide. In addition Replication Scope can be decide as per your business requirment.
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers -
DNS best practices for hub and spoke AD Architecture?
I have an Active Directory Forest with a forest root such as joe.co and the root domain of the same name, and root DNS servers (Domain Controllers) dns1.joe.co and dns2.joe.co
I have child domains with names in the form region1.joe.com, region2.joe.co and so on, with dns servers dns1.region1.joe.co and so on.
Each region has distribute offices that may have a DC in them, servers named in the form dns1branch1.region1.joe.co
Over all my DNS tests out okay, but I want to get the general guidelines for setting up new DCs correct.
Configuration:
Root DC/DNS server dns1.joe.co adapter settings points DNS to itself, then two other root domain DNS/DCs dns2.joe.co and dns3.joe.co.
The other root domain DNS/DCs adapter settings point to root server dns1.joe.co and then to itself dns2.joe.co, and then 127.0.0.1
The regional domains have a root dns server dns1.region1.joe.co with adapter that that points to root server dns1.joe.co then to itself.
The additional region domain DNS/DCs adapter settings point to dns1.region1.joe.co then to itself then to dn1.joe.co
What would you do to correct this topology (and settings) or improve it?
Thanks in advance
just davidHi,
According to your description, my understanding is that you need suggestion about your DNS topology.
In theory, there is no obvious problem. Except for the namespace and server plaining for DNS, zone is also needed to consideration. If you place DNS server on each domain and subdomain, confirm that if the traffic browsed by DNS will affect the network performance.
Besides, fault tolerance and security are also necessary.
We usually recommend that:
DC with DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. And when referencing a DNS server on itself, a DNS client
should always use a loopback address and not a real IP address. detailed information you may reference:
What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
How To Split and Migrate Child Domain DNS Records To a Dedicated DNS Zone
http://blogs.technet.com/b/askpfeplat/archive/2013/12/02/how-to-split-and-migrate-child-domain-dns-records-to-a-dedicated-dns-zone.aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Best practices for 2 x DNS servers with 2 x sites
I am curious if someone can help me with best practices for my DNS servers. Let me give my network layout first.
I have 1 site with 2 x Windows 2012 Servers (1 GUI - 10.0.0.7, the other CORE - 10.0.0.8) the 2nd site connected via VPN has 2 x Windows 2012R2 Servers (1 GUI - 10.2.0.7, the other CORE - 10.2.0.8) All 4 servers are promoted to DC's and have DNS services
running.
Here goes my questions:
Site #1
DC-01 - NIC IP address for DNS server #1 set to 10.0.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
DC-02 - NIC IP address for DNS server #1 set to 10.0.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
Site #2
DC-01 - NIC IP address for DNS server #1 set to 10.2.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
DC-02 - NIC IP address for DNS server #1 set to 10.2.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local
> properties > Name Servers should I have all of my other DNS servers, or should I have my WAN DNS servers? In a single server scenario I always put my WAN DNS server but a bit unsure in this scenario.
Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > General > Type should all servers be set to
Active Directory - Integrated > Primary Zone? Should any of these be set to
Secondary Zone?
Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > Zone Transfers should I allow zone transfers?
Would the following questions be identical to the Forward Lookup Zone mydomain.local as well?I am curious if someone can help me with best practices for my DNS servers. Let me give my network layout first.
I have 1 site with 2 x Windows 2012 Servers (1 GUI - 10.0.0.7, the other CORE - 10.0.0.8) the 2nd site connected via VPN has 2 x Windows 2012R2 Servers (1 GUI - 10.2.0.7, the other CORE - 10.2.0.8) All 4 servers are promoted to DC's and have DNS services
running.
Here goes my questions:
Site #1
DC-01 - NIC IP address for DNS server #1 set to 10.0.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
DC-02 - NIC IP address for DNS server #1 set to 10.0.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
Site #2
DC-01 - NIC IP address for DNS server #1 set to 10.2.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
DC-02 - NIC IP address for DNS server #1 set to 10.2.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local
> properties > Name Servers should I have all of my other DNS servers, or should I have my WAN DNS servers? In a single server scenario I always put my WAN DNS server but a bit unsure in this scenario.
Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > General > Type should all servers be set to
Active Directory - Integrated > Primary Zone? Should any of these be set to
Secondary Zone?
Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > Zone Transfers should I allow zone transfers?
Would the following questions be identical to the Forward Lookup Zone mydomain.local as well?
Site1
DC1: Primary 10.0.0.7. Secondary 10.0.0.8. Tertiary 127.0.0.1
DC2: Primary 10.0.0.8. Secondary 10.0.0.7. Tertiary 127.0.0.1
Site2
DC1: Primary 10.2.0.7. Secondary 10.2.0.8. Tertiary 127.0.0.1
DC2: Primary 10.2.0.8. Secondary 10.2.0.7. Tertiary 127.0.0.1
The DC's should automatically register in msdcs. Do not register external DNS servers in msdcs or it will lead to issues. Yes, I recommend all zones to be set to AD-integrated. No need to allow zone transfers as AD replication will take care
of this for you. Same for mydomain.local.
Hope this helps. -
Looking for best practices when creating DNS reverse zones for DHCP
Hello,
We are migrating from ISC DHCP to Microsoft DHCP. We would like the DHCP server to automatically update DNS A and PTR records for computers when they get an IP. The question is, what is the best practice for creating the reverse look up zones in DNS? Here
is an example:
10.0.1.0/23
This would give out IPs from 10.0.1.1-10.0.2.254. So with this in mind, do we then create the following reverse DNS zones?:
1.0.10.in-addr.arpa AND 2.0.10.in-addr.arpa
OR do we only create:
0.10.in-addr.arpa And both 10.0.1 and 10.0.2 addresses will get stuffed into those zones.
Or is there an even better way that I haven't thought about? Thanks in advance.Hi,
Base on your description, creating two reverse DNS zones 1.0.10.in-addr.arpa and 2.0.10.in-addr.arpa, or creating one reverse DNS zone 0.10.in-addr.arpa, both methods are all right.
Best Regards,
Tina -
ICMP Best Practices for Firewall
Hello,
Is there a such Cisco documentation for ICMP best practices for firewall?
ThanksHello Joe,
I havent look for such a document but what I can tell you is the following?
ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).
But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).
So what's the whole point of this post:
Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,
Hope that I could help
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura -
I have a small office (10 computers with five users) that have a Windows 2003 server that has a corrupted AD. Their 2003 server R2 is essentially a file server and provides authentication. They purchased a new Dell 2012 R2 server.
It seems easier to me to just create a new domain (using their public domain name).
But I need as little office downtime. as possible . Therefore I would like to promote this server to its new domain on the same lan as the current domain server. I plan to manually replicate the users and folder permissions. Once done, I plan to
remove the old server from the network and join the office computers to the new domain.
They also they are also running a legacy application that will require some tweaking by another tech. I have been hoping to prep the new domain prior to new legacy tech arriving. That is why I would like both domain to co-exist temporarily. I have read
that the major issues involved in this kind of temporary configuration will then be related to setting up dns. They are using the firewall to provide dhcp.
Are there any best practices documents for this situation?
Or is there a better or simpler strategy?
Gary MetzI followed below two links. I think it should be the same even though the links are 2008 R2 migration steps.
http://kpytko.pl/active-directory-domain-services/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
http://blog.zwiegnet.com/windows-server/migrate-server-2003-to-2008r2-active-directory-and-fsmo-roles/
Hope this help! -
Best Practices for Integrating UC-5x0's with SBS 2003/8?
Almost all of Cisco's SBCS market is the small and medium business space. Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
To that end, I see a lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
Some of the challanges include;
1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
3. Which device should handle DNS?
My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
1. A UC-540 device utilizing SIP for the cost savings
2. High Speed Internet with 5 static routable IP addresses
3. An existing Microsoft Small Business Server 2003/8
4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
Your thoughs appreciated.Progress Report;
The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.
To review, this configuration assumes the following;
1. The UC540 has a public IP address of 4.2.2.2
2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
First, backup your current configuration via the CCA,
Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
Next, you will need to amend your UC540's default ACL.
First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
int fas 0/0
no ip access-group 104 in
no access-list 104
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 4.2.2.3 eq 25 log
access-list 104 permit tcp any host 4.2.2.3 eq 80 log
access-list 104 permit tcp any host 4.2.2.3 eq 443 log
access-list 104 permit tcp any host 4.2.2.3 eq 987 log
access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log
access-list 104 permit tcp any host 4.2.2.4 eq 80 log
access-list 104 permit tcp any host 4.2.2.4 eq 443 log
access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
access-list 104 permit udp host 116.170.98.142 eq 5060 any
access-list 104 permit udp host 116.170.98.143 any eq 5060
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 permit udp host 116.170.98.142 eq domain any
access-list 104 permit udp host 116.170.98.143 eq domain any
access-list 104 permit icmp any host 4.2.2.2 echo-reply
access-list 104 permit icmp any host 4.2.2.2 time-exceeded
access-list 104 permit icmp any host 4.2.2.2 unreachable
access-list 104 permit udp host 192.168.10.1 eq 5060 any
access-list 104 permit udp host 192.168.10.1 any eq 5060
access-list 104 permit udp any any range 16384 32767
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
int fas 0/0
ip access-group 104 in
Lastly, save to memory
wr mem
One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
(config)#ip access-list extended 104
(config-ext-nacl)#7 permit gre any any
Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
Thanks to Vijay in Cisco Tac for the guidence.
Maybe you are looking for
-
How to Assign a Field value to a Variable??
Dear All, Kindly let me know, if <b>"HOW TO ASSIGN A FIELD VALUE TO A VARIABLE????"</b> Situation is, we have a Field (OBJK-TASER) in which 2 tables (SER01 & SER03) are stored. And we want to access names of the Tables which are there in the field(TA
-
Campaign determination in R/3 based in CRM campaigns
Hi, We have CRM4.0. Can you confirm me if I create a campaign in CRM with planned dates without condition records when I create a sales order in R/3 that campaign is determined automatically? Or the R/3 only works with pricing/condition campaigns? Th
-
Use of substr function will avoid the use of indexes in a table
i have one table which will contain some 3,00,000 records, it contains some 11 primary keys i am using some update statements to update some fields in the records (of 3,00,000 i will compare some 1,50,000 records with 1,50,000 another records) i am u
-
Middle Eastern type/Hebrew not working in CC 2014
Hebrew used to work for me in CC. Now in cc 2014 it's not. I have Hebrew installed in windows, middle eastern type engine selected, and middle eastern text options available. When right-to-left is selected, it still types left-to-right. I've tried pa
-
Oracle Application Server Release 4.0.8.1 on Windows 2000.
Can I install Oracle Application Server Release .0.8.1 on Windows 2000 ?