newbe question on configuration

I am trying to help out a friend. They have a 2611 with the IOS Firewall
license but the firewall is not configured. It has two ethernet interfaces,
only one is currently in use. They want to activate the IOS firewall
feature set. They have a Web server that is on thier 192.168.0.0 network
that they want to make accessible. They do not want a DMZ since they use
the server for other applications (tiny company) and it connects to a
database somewhere on the private network and the person there who set up
the web server does not want to have the web server and the database on
different networks. The WAN interface is part of a /30 network (fake i.e.
1.1.1.3/30). I have been told that they have another discontiguous address
block (fake i.e. 2.2.2.10/2 that is not in use. My input was to purchase
a standalone server and put it on the DMZ but they dont want to do that. So
I think these are the options
1. Dual home the webserver so it sits on both networks and assign the two
ethernet ports to the different networks one on 192.168.0.0 and the other on
2.2.2.10/28. The 2.2.2.10 with only http, https and ftp. This concerns me
from a security standpoint.
2. Use only a single router ethernet interface 0/0 and bind it with two
addresses 192.168.0.1 primary and 2.2.2.10 secondary and to NAT a 2.2.2.x
address to a 192.168.0.x address. I believe I may need to kill the split
horizon to make that work.

Are there other better options? Any suggestions?

Michael Huffaker

"Michael Huffaker" <> wrote in message news:<lVjCc.843$Y_5.514@fed1read02>...
> I am trying to help out a friend. They have a 2611 with the IOS Firewall
> license but the firewall is not configured. It has two ethernet interfaces,
> only one is currently in use. They want to activate the IOS firewall
> feature set. They have a Web server that is on thier 192.168.0.0 network
> that they want to make accessible. They do not want a DMZ since they use
> the server for other applications (tiny company) and it connects to a
> database somewhere on the private network and the person there who set up
> the web server does not want to have the web server and the database on
> different networks. The WAN interface is part of a /30 network (fake i.e.
> 1.1.1.3/30). I have been told that they have another discontiguous address
> block (fake i.e. 2.2.2.10/2 that is not in use. My input was to purchase
> a standalone server and put it on the DMZ but they dont want to do that. So
> I think these are the options
> 1. Dual home the webserver so it sits on both networks and assign the two
> ethernet ports to the different networks one on 192.168.0.0 and the other on
> 2.2.2.10/28. The 2.2.2.10 with only http, https and ftp. This concerns me
> from a security standpoint.
> 2. Use only a single router ethernet interface 0/0 and bind it with two
> addresses 192.168.0.1 primary and 2.2.2.10 secondary and to NAT a 2.2.2.x
> address to a 192.168.0.x address. I believe I may need to kill the split
> horizon to make that work.
>
> Are there other better options? Any suggestions?


Use option 3, change WAN interface to use the other public range, the
/28. This gives you a few more IP's to work with. NAT the server out
to an IP address of its own on the WAN, PAT everything else. Turn on
firewall feature set. Done. Way more simple.

Kevin Widner