> -----Original Message-----
> From: Magic Phibo [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 8 December 2000 8:42
> To: [EMAIL PROTECTED]
> Subject: Routing Question
>
>
> Hi there
>
> I got a question about routing. There is a subnet 199.199.199.208/28
> with 16 official ip numbers. Internet connection is done by a
> xDSL Modem
> and a router (199.199.199.209) to which I don't have access.
[...]
> My first idea was to split the
> official subnet into
> 2 subnet like this:
>
> 1. subnet 199.199.199.208/29 (hostid's 209-214)
> 2. subnet 199.199.199.216/29 (hostid's 217-222)
[...]
> With this procedure, I would have one nic of the firewall and
> the Router in
> the "ext" net and another nic of the firewall and all the
> public machines in
> the "dmz" net. So, seperation is done, BUT, as the router is
> configured with a
> netmask of 255.255.255.240, connection requests from internet
> go directly to
> the public machines, instead of to the firewall.
Exactly. Which would fail.
>
> How should I set up routing properly, so that ALL connections
> must go thru
> the firewall ?
Set up ther external NIC on the firewall to own that whole 199.199.199.208
subnet, and then create your internal and DMZ networks with private
addresses. NAT in two pools - one pool for internal clients to use and one
for DMZ hosts to use. Have static NAT mappings on the outside of the
firewall for the DMZ hosts. Since both mail and web servers deal well with
NAT you should be fine from a functionality point of view and you'll
actually buy a bit more security as a bonus.
In other words - Internal net is 192.168.1.x, DMZ net is 172.16.31.x, NAT
overload 192.168.1.x -> 199.199.199.209-215 and statically map
221->172.16.31.1 (mail) and 222-> 172.16.31.2 (web).
That leaves you 5 unused addresses for expansion.
>
> Sorry for my english ...
>
>
> Cheers
> Phibo
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
