On Fri, 08 Dec 2000, Ben Nagy wrote:
>> -----Original Message-----
>> From: Magic Phibo [mailto:[EMAIL PROTECTED]]
>> Sent: Friday, 8 December 2000 8:42
>> To: [EMAIL PROTECTED]
>> Subject: Routing Question
>>
>>
>> Hi there
>>
>> I got a question about routing. There is a subnet 199.199.199.208/28
>> with 16 official ip numbers. Internet connection is done by a
>> xDSL Modem
>> and a router (199.199.199.209) to which I don't have access.
>[...]
>> My first idea was to split the
>> official subnet into
>> 2 subnet like this:
>>
>> 1. subnet 199.199.199.208/29 (hostid's 209-214)
>> 2. subnet 199.199.199.216/29 (hostid's 217-222)
>[...]
>> With this procedure, I would have one nic of the firewall and
>> the Router in
>> the "ext" net and another nic of the firewall and all the
>> public machines in
>> the "dmz" net. So, seperation is done, BUT, as the router is
>> configured with a
>> netmask of 255.255.255.240, connection requests from internet
>> go directly to
>> the public machines, instead of to the firewall.
>
>Exactly. Which would fail.
>
>>
>> How should I set up routing properly, so that ALL connections
>> must go thru
>> the firewall ?
>
>Set up ther external NIC on the firewall to own that whole 199.199.199.208
Do you mean setting up eth0 being the external nic with 199.199.199.210 and
aliases eth0:0, eth0:1 ... for 199.199.199.211-222 ? You know, the firewall
will be a linux box with netfilter
>subnet, and then create your internal and DMZ networks with private
>addresses. NAT in two pools - one pool for internal clients to use and one
>for DMZ hosts to use. Have static NAT mappings on the outside of the
>firewall for the DMZ hosts. Since both mail and web servers deal well with
and what about the two dns servers ?
>NAT you should be fine from a functionality point of view and you'll
>actually buy a bit more security as a bonus.
>
>In other words - Internal net is 192.168.1.x, DMZ net is 172.16.31.x, NAT
>overload 192.168.1.x -> 199.199.199.209-215 and statically map
>221->172.16.31.1 (mail) and 222-> 172.16.31.2 (web).
>
I suppose you mean doing source NAT for 192.168.1.x to 199.199.199.210-215
and destination NAT from 221 (mail) to 172.16.31.1 and from 222 (web) to
172.16.31.2. Probably I should also do destination NAT from 219 and 220
(prim./sec. dns servers) to let's say 172.16.31.3 and 4. Btw. what do you mean
with NAT in two pools ? One NAT pool is (210-215) for internal clients and the
other ? Should I use the same pool for the dmz clients or the remaining
addresses (216-218) ?
>That leaves you 5 unused addresses for expansion.
Thanks VERY much for your help !
Cheers
Phibo
>
>>
>> Sorry for my english ...
>>
>>
>> Cheers
>> Phibo
>
>Cheers,
>
>--
>Ben Nagy
>Marconi Services
>Network Integration Specialist
>Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
