Re: how to setup network when many public IPs available ?

From: Bill Grant (not.available_at_online)
Date: 05/07/04 

Date: Fri, 7 May 2004 11:59:27 +1000

   Here again you could write a book about the possibilities. (In fact
people have written books about it).

    One common method is the bastion host, where one machine acts as the
firewall for both the DMZ and the private LAN. The firewall machine has
three interfaces - ont to the Internet, one to the DMZ and one to the
private LAN. Another common method is back to back firewalls. You have a
firewall between the Internet and the DMZ, and a second firewall between the
DMZ and the LAN.

    If you want the machines in the DMZ to access the Interneet directly,
then they must have valid public IP addresses. The LAN machines should use
private IPs only. You should limit the connections between the LAN and the
DMZ. Ideally there should be only one connection point, and that should be
firewalled. Here is a possible scenario.

Internet
    |
public IP (not in same subnet as DMZ)
firewall
public IP
w.x.y.1
    |
DMZ machines
w.x.y.z dg w.x.y.1
    |
 w.x.y.n dg w.x.y.1
firewall2 (such as ISA server)
192.168.1.1
    |
LAN clients
192.168.1.x

"scott" <scottscotland@yahoo.com> wrote in message
news:ukSASR3MEHA.1484@tk2msftngp13.phx.gbl...
> Hi,
>
> All machines allocated a public IP will be placed in a DMZ in front of the
> LAN. All LAN machines will have private IPs.
>
> Im more concerned about how to physically deal with the IP addresses.
>
> For example: say i have two public IPs.
>
> ------------------------------
> net
> v
> v
> wan ip (99.99.99.99)
> router/firewall > > lan ip (99.99.99.98) - iis
> lan ip (99.99.99.96)
> v
> v
> wan ip (99.99.99.97)
> firewall
> lan ip
> v
> v
> etc....
> ------------------------------
>
> - The firewall router must have the ability to have several public IPs i
> assume on its WAN adapter.
> - The iis machine must have 1 public IP i assume on its only adapter.
>
> If this is the case then the LAN IP of the firewall must need to be a
public
> IP also ? (i.e on the same subnet ?)
> If this is the case then the FIREWALL external IP must need to be a public
> IP also ? (i.e on the same subnet ?)
>
> So in order to assign a public IP to the IIS machine i really need 4
public
> IPs ?
> i.e
> router firewall wan + lan
> iis wan
> firewall wan ?
>
> Thanks again for any advice.
> Scott.
>
>
>

Relevant Pages

  • Re: OWA_Frontend_Firewall
    ... >>the OWA server in the DMZ to the exchange server and DC's on the LAN ... >ISA is a workgroup box not joined to the domain) and that way you only ... >GCs between a DMZ and a firewall. ...
    (microsoft.public.exchange.admin)
  • Re: Windows 2000 Server verliert verbindung ins Internet
    ... >>diese gehen auch über die firewall ... LAN öffnen - da lohnt sich überhaut die DMZ-Konfiguration nicht mehr. ... Möglichkeit: Weg mit der DMZ ... Auf jeden Fall sollte die Firewallkonfiguration ...
    (microsoft.public.de.german.win2000.networking)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Whats wrong with this topology?
    ... it's better to have the DMZ ... complicates all the filtering rules on your firewall... ... Better is to have the DMZ physically apart from your LAN (with the firewall ... region system (hostile internet vs. not very secure internal lan) because ...
    (Security-Basics)