Re: networking private and public hosts questions
From: Pierre (Pierre_at_discussions.microsoft.com)
Date: 01/05/05
- Next message: Herb Martin: "Re: Multiple Login Prompts"
- Previous message: Pierre: "Re: networking private and public hosts questions"
- In reply to: Pierre: "Re: networking private and public hosts questions"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 5 Jan 2005 11:55:05 -0800
Forgot to mention that the subnet mask on the public side is 255.255.255.224
while the private is 255.255.255.0. I don't know if this helps.
"Pierre" wrote:
> Makes sense to me. Since my initial post, I have been given authority to use
> some systmes in storage to create a test network. Here's how it's going......
>
> The test network contains one AD DC which is the parent with a suffix of
> domain.ca,
> and one WS is a member of that domain, everything is fine with DNS installed
> and both have a static IP.
>
> A second DC is a child with a suffix of city.domain.ca (the parent is
> domain.ca)
> and also has DNS configured forwarding to the parent. (this test network is
> live
> on the internet)
>
> DHCP server is running on the child DC which was configured on the parent
> and replicated to the child (that part was pretty cool to set up). I have
> attached
> a WS to the child and attempted to pull an IP from the DHCP server, but no go.
>
> I have added a second IP address in Internet Protocal/Advanced of
> 192.168.1.1 to
> city.domain.ca which I want to distribute private IPs, that way I can keep
> our local
> network protected. Incidentally, the NAT Firewall will be configured as you
> mention, I just don't want to concern myself with that at this time.
>
> So, to recap, my test network has a public and private side. Each has a DC
> and the
> publlic side is static while the private side will be DHCP. The problem now
> is that I
> cannot receive IPs from the server even after I try all the
> usuals....ipconfig/all, etc.
>
> DHCP is set up as follows:
> servername - city.domain.ca [static IP address]
> - scope [192.168.1.0] city
> - Address Pool
> - ....... exclusions, etc .......
> - scope options
> - router - 192.168.1.1
> - DNS server - the parent IP address
> - DNS Domain Name - city.domain.ca
>
> I do not currently have a second NIC in the DHCP server and would prefer not
> to go that route, although I have done it before and it does work.
>
> I have not set up NAT or Routing and figured there was no point if I can't
> even
> get an IP.
>
> Do you see anything wrong here?
>
>
> "Phillip Windell" wrote:
>
> > Well,...there is no way to do this "live". There are so many things here
> > that will not work like you are thinking, that I don't know where to begin.
> > I'll indicate at the bottom how I think you should do this, but first, to
> > try to clear up misunderstandings....
> >
> > There is no way to run them at the same time while you are doing it.
> >
> > DHCP isn't going to "help". It really doesn't matter if you ran DHCP or ran
> > all Static,..it just doesn't matter.
> >
> > DHCP isn't going to give addresses from the other Scope if the first scope
> > "filled up" anyway.
> >
> > DHCP Scopes should always use the full range of addresses that are in the
> > Network being used. You then use Exclusions to separate the addresses you
> > want it to hand vs the ones you don't
> >
> > The two addresses ranges (192.* and the 30 public ones) will not work
> > together at the same time.
> >
> > RRAS with routing enabled is worthless unless you are building one machine
> > in a key topological location as specifically a router. That will only work
> > in a properly planned out and properly designed situation and I really can't
> > tell what you have done or not done towards that.
> >
> > Private addresses are not compatible with the Internet,...they are not
> > "internet routable". So yes, you need to run NAT. You could also use a
> > proxy server like MS ISA. Both proxying and "nat" accomplish the same task,
> > but the are *not* the same thing.
> >
> > You have a Checkpoint Firewall,...what aren't you using that as a NAT
> > Device? That is primarily what it is designed for,..a NAT Firewall.
> >
> > ---- Here's how I would do it, .....off the top of my head ----
> >
> > Now, you could do this whole thing in a few hours. This is how I would
> > recommend it be done. I like to keep things straight-forward, simple,
> > logical, and organized. You can get complicated, convoluted, and strange
> > all you want after you have a dependably running network:
> >
> > 1. Come in on the week-end or after hours and set all the workstations to
> > get their address automatically (DHCP) and then shut them down and leave
> > them down.
> >
> > 2. Setup the CheckPoint to run as a NAT Firewall, or use whatever your
> > favorite NAT Device is going to be. Use one of your Public addresses for
> > the External side interface. Choose a Private Range to use. Use a higher
> > number in the third Octect (like maybe 192.168.50.x) to avoid future clashes
> > with the heavily "over-used" lower numbers. Use the first one
> > (192.168.50.1) as the NAT Firewalls Internal side interface. Assuming you
> > only use one subnet on the private side, this number 192.168.50.1 will be
> > the Default Gateway of all machines (via either DHCP or Static).
> >
> > 3. Move all the Servers to the private side of the Firewall and start
> > Statically re-addressing them. Start with 192.168.50.10 and go up from
> > there. This leaves a buffer of a few lower addresses for future Hubs,
> > Switches, and other networking hardware that takes IP#s. Your Domain
> > Controllers must point to themselves in thier DNS Setting and the ISP's DNS
> > should be listed in their Forwarders List. Your ISP's DNS should *not*
> > appear anywhere else other than the Forwarders List in your DNS
> > Configuration.
> >
> > *Note*,....*all* Servers should run Static Addresses,..you don't want them
> > to "slit their throats" if one morning you wake up and the DHCP Service
> > isn't working. And also,...One active NIC per machine,...No multi-homed
> > machines anywhere except for the NAT Device!
> >
> > 4. Create a DHCP Scope on the DHCP Server. Only one Scope. No Superscopes!
> > Use the whole range of 192.168.50.1 -- 192.168.50.254. Set Exclusions for
> > 192.168.50.1 -- 192.168.50.99 and another Exclusion for 192.168.50.201 --
> > 192.168.50.254. This leaves the numbers below *.100 and above *.200 for
> > future equipment use. This will give you 101 total address to automatically
> > give to clients in the range of 192.168.50.100 -- 192.168.50.200. If you
> > need more than 101, adjust your Exclusions to accomidate.
> >
> > In the DHCP setup use the Scope Options under the Scope,..do not use the
> > Server Options. These are the Options you should set. If you don't run
> > Active Directory then Option 006 would be your ISP's DNS and you would not
> > use Option 015 at all. Omit Options 044 & 046 if you don't have a WINS
> > Server:
> >
> > 003 Router = 192.168.50.1
> > 006 DNS Servers = <List your AD DNS Servers>
> > 015 DNS Domain Name = <Your AD FQDN, like "mycompany.loc">
> > 044 WINS/NBNS Servers = <Your WINS Servers if you have any>
> > 046 WINS/NBT Node Type = 0x8 (Only if you have WINS)
> >
> > 5. Power up the workstations. They should all grab a new address from the
> > freshly configured DHCP and all should be well.
> >
> > I don't think I left anything out, but I *did* do this off the top of my
> > head, so think it all though as you do this, in case I forgot anything.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> >
> > "Pierre" <pdeguire@sirc.ca> wrote in message
> > news:2fc9adc2.0412150943.10249cb0@posting.google.com...
> > > We currently have a W2K network consisting of the following;
> > >
> > > DSL line thru a Checkpoint Firewall, to 3 switches, then to
> > > servers/workstations. Servers are using a mix of static (for web
> > > server, etc.) and dhcp (for file/print servers, etc.) addresses on a
> > > block of addresses provided by our ISP. Currently all is well.
> > >
> > > We are switching to a new ISP and have only 30 addresses so we will be
> > > changing to a private range for our internal network, likely
> > > 192.168.0.0 with a dhcp range of 192.168.0.2 to 192.168.0.254
> > > (192.168.0.1 will be assigned to the NIC on the DC which will also
> > > have the new public IP address asigned to it).
> > >
> > > We are unable to test due to budget restraints, so it all has to
> > > happen live.
> > >
> > > The only way I can test is by connecting a laptop and temporarily
> > > assigning a static IP (192.169.0.50). So far, I am able to see the
> > > whole network but can only 'talk' to the DC. I cannot browse and
> > > other machines, nor can I get out to the web.
> > >
> > > I have already set up a second scope for the private range, but I
> > > understand that dhcp will not use this range until the public range is
> > > full (4 IP's left).
> > >
> > > Do I need to use NAT? I am planning to adjust the registry to enable
> > > IP routing at end of day, will this help? I have tried to use
> > > IProuting in RRAS but that doesn't seem to affect anything.
> > >
> > > Any help will be appreciated.
> >
> >
> >
- Next message: Herb Martin: "Re: Multiple Login Prompts"
- Previous message: Pierre: "Re: networking private and public hosts questions"
- In reply to: Pierre: "Re: networking private and public hosts questions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
