Re: Help with Subnetting
From: mikester (submikester_at_yahoo.com)
Date: 08/24/04
- Next message: Gary Smith: "timeout eth0 on disconnected laptop fedora core2"
- Previous message: Kevin Boergens: "Re: WLAN won't work with Netgear MA101/SuSE 9.0"
- In reply to: IT Guy: "Re: Help with Subnetting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 24 Aug 2004 09:32:05 -0700
X-No-Archive:yes
IT Guy <easycom@techie.con> wrote in message news:<NEAUc.18148$MD.13295@fe1.texas.rr.com>...
> /dev/null wrote:
> >>In order to achieve what we want to do with our ISA server and DMZ, we
> >>need to have two different subnets of public IP addresses. So I
> >>subnetted the 5 IPs into 2 seperate subnets. So now I have
> >>24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
> >>24.XXX.XXX.237 and 238.
> >
> >
> > As I'm sure you've found out by now you can't subnet like that.
> >
> >
> >>My ISA box uses .234 as the interface connecting
> >>to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
> >
> >
> > Hey, this is linux, ISA is another problem all together ;-)
> >
> >
> >>The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
> >>set. (ISA reequirement) I also have an internal network in this machine
> >>assigned a 10 net range. That is set on the third NIC. (also no default
> >>gat
eway)
> >
> >
> > Check out my post on 8/13 titled "routing without eating up my IPs" in
> > comp.os.linux.networking. The answer is basically you take one IP and put
> > it on two interfaces of a linux box, on nic internal, the other nic
> > external. On the internal nic you connect the other systems using the
> > remaining IPs and set up arp proxy on the external nic. On this linux box
> > you can run firewalling to secure the internal systems.
> >
> > The advantage you have with this solution is you don't lose any IPs because
> > of the network or broadcast addresses. The above paragraph may be a little
> > confusing, see the diagram I made in my post and especially David Efflandt's
> > answer and it will be clear.
> >
> >
> Thanks...I browsed that article earlier and will go back and pay more
> attention this time 'round.
>
> Edog
My suggestion specifically would be a Cisco PIX Firewall or similar
device; Of course you could also use a Linux/IPtables server/firewall
to do the same thing but it would have to have multiple (3) NICs. The
problem with the Cisco devices is most certainly cost considering you
want a DMZ which is a third interface that brings you up on the list
of Pix devices to a 515 (I don't think a 506 has 3 interfaces). A 515
is a powerful box and it isn't cheap (last I checked it was ~$1500 or
more depending on the options). Clearly you could do it cheaper with a
Linux box running iptables. The key here is that you need to get away
from giving you servers and actual outside address and instead use
RFC1918 addresses and some NAT/PAT Technology. The PIX Firewall does
this extremely well as does Iptables. As far as your subnetting is
concerned...
Since you're on Road Runner and likely using their commercial solution
you either have a 900 Series Cisco router or a ZyXel router (though it
could be something else admittedly - it's been a while since I worked
with RR). Both of these routers support the NAT and PAT functions you
want and they are both likely running RIP but the interface that you
connect to is in passive and won't accept routing updates. They have
given you 24.X.X.233/29 which means that you have from 234-238 as
usable IP addresses on their network. You can split this on your end
but I would advise against it - again you can use NAT/PAT functions on
a Linux/IPtables or PIX Firewall to make your configuration and
administration much simpler. Considering you budget is likely low (an
assumtion considering your choice of ISP - no offense is intended) I
doubt that your requirement for a DMZ is a deal breaker. That being
the case the next question is - do you have more than 10 users? If so
then I think the safe and easy answer is to purchase a PIX 506 and do
you NAT/PAT/STATIC configurations in that device as it is extremely
simple.
Here is a very simple example configuration that I'm sure IPTables
could handle with ease but I haven't attempted it (invitation for
someone who has to show me). for line clarity I have changed the
netmasks to their slash notation like so; 255.255.255.255 = /32; in
the configuration it would read 255.255.255.255.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
This first one is a port map from the outside port 4489 to the inside
port of 3389 (RDP) on the server on 10.0.0.3.
static (inside,outside) tcp interface 4489 10.0.0.3 3389 netmask /32 0
0
Same to a different server using 5589.
static (inside,outside) tcp interface 5589 10.0.0.12 3389 netmask /32
0 0
Again, same idea for SSH.
static (inside,outside) tcp interface 222 10.0.0.16 ssh netmask /32 0
0
Etc...
static (inside,outside) tcp interface 6689 10.0.0.21 3389 netmask /32
0 0
The web server...
static (inside,outside) tcp interface www 10.0.0.20 www netmask /32 0
0
And another RDP client...
static (inside,outside) tcp interface 3389 10.0.0.20 3389 netmask /32
0 0
Then you can use Access-lists to permit and deny what you like of
course. Like I said, I know that the 900 series routers are capable of
this same type of port redirection and NAT configuration - I believe
the ZyXel is also capable of it. RR went with ZyXel because the
Cisco's simply cost too much.
I hope that was clear; please respond with questions to the group and
not via email.
The Mikester
- Next message: Gary Smith: "timeout eth0 on disconnected laptop fedora core2"
- Previous message: Kevin Boergens: "Re: WLAN won't work with Netgear MA101/SuSE 9.0"
- In reply to: IT Guy: "Re: Help with Subnetting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
