Solved

Re-IP'ing the entire network and using MS Radius

Posted on 2002-06-25
13
347 Views
Last Modified: 2010-04-17
Greetings all,

I have the grand task of Re-ip'ing my network to better accomidate my corporate office.

I have a few questions-

1. I'd like to do this as quickly and efficiently as possible, so what sort of checklist or gameplan I should use to accomplish quick and efficient?

2. With this change, I have an opotunity to move some server side stuff around. For instance, I would like to take down my external DNS server (on DMZ) and bring up two new DNS servers on the inside of my network and NAT the traffic through. I know there is a great Q article to do this, but my question is actually about NAT'ing traffic. I have a PIX 515... Do you think NAT'ing is better then access lists? In other words, I have sort of shunned NAT'ing and NAT nothing at this point. Should I stay with my current trend or switch over to NAT'ing to accomplish my goal?

3. Currently my PIX uses local PIX accounts to allo0w local access. Does anyone know how and or how difficult it is to set up the PIX515 to work with MS radius? I would like to do this so uses can authenticate to the VPN using thier network password.

4. Pulls from 3 too... Currently my users use the Cisco VPN client, I would also like to make it to where they can use the MS VPN connection as well... (with RADIUS working) I am not looking for a step by step answer here on the setup on the PIX, but a what anyone thinks about this would be appriciated.

Thanks in Advance
0
Comment
Question by:atmear
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 1

Accepted Solution

by:
Chriskohn earned 250 total points
Comment Utility
Hello atmear:
It would be helpful to know how many IP's and IP subnets you think you will need to accommodate your network, but to be safe you could just use a Class B Private Internal.
 Normally you'll want to do something which applies some convention to it, or a hierarchical arrangement of sorts.  
 I.E. take for instance a network address of 172.25.0.0 network with a mask of 255.255.0.0, this will give you plenty of usable IP addresses and subnets. If you were to make all routers in your network, that are on different subnets end in .1, you could start with 172.25.0.1, then 172.168.1.1 etc. You could do the same with switches, only use .2's i.e. 172.25.0.2, 172.25.1.2 etc. You could make servers something like .5 thru .15 in each subnet. Anyway, you decide, but it is always helpful to stick to some convention, I think you can imagine why. Lastly, always leave a few IP's in each subnet that are available for future needs.
 Regarding your movement of DNS servers to your internal network and using NAT, this depends on what you are trying to accomplish by doing this. If you wish to protect your DNS servers better, placing them inside and doing one to one NAT translations for them is probably a more secure way than having them in the DMZ, and you will still likely have access-control lists protecting them on the outside interface of the PIX. So overall they would be safer.
 To implement Radius on a network server rather than locally on the PIX can be done. Here is a link which may help: http://www.cisco.com/warp/customer/110/cvpn3k_pix_ias.html

Hope this is helpful, Chriskohn
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Chriskohn has some good points about the addressing scheme.

1. Consider using DHCP for all your clients, hard-code all servers. Setup your global scopes on the DHCP server. Consider long (30 day) leases as opposed to default 3 day.

2. I would let the PIX do the NAT. This will keep your access-lists much shorter. Setup static NAT addresses with your internal servers (DNS, WEB, mail, etc). This keeps them with private IP addresses that can make it harder for hackers.

3. Setting up MS Windows2k RADIUS for VPN users is a snap:
http://www.cisco.com/warp/customer/110/cvpn3k_pix_ias.html

4. Using MS PPTP client in addition to Cisco VPN client is also a piece of cake. What version are you using? ver 6.2 has a really nice java GUI that sets almost everything up for you though the Pix Device Manager.

Note: Unless you have 3DES license, your Ms PPTP sessions will only be 40-bit encryption - not very secure. You need the 3DES license to run 128-bit. Even at 56-bit, the standard IPSEC client is more secure. Also, with IPSEC client, YOU can control things like split-tunneling whereas with the PPTP client, all the user has to do is uncheck the box that says use default gateway on remote network and you have just been exposed.
0
 

Author Comment

by:atmear
Comment Utility
We have a 75 to 100 node network, T1, WAN connection, PIX 515, Cisco 3550 GBit Switches, Cisco 2950 Switches, Printer, VPN... etc etc etc...

I know how the numbers and all scope information along with how to do it... I was just wondering if anyone had a to-do list that was the most effective manner of going about this. Obviously, I change all routers and switches and then goto servers, desktops and printers...  

Thank You to the both of ya for recognizing my effort of moving nameservers to the inside, a good idea over all. I have a small question about that... My internal domain happens to actually be my actuall external FQDN... long story short, I was told to AD integrade the DNS functionality with AD... so my thoughts are I should bring up a new AD\DNS name space and run that way with it internally.
What are yalls thoughts?
0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Hi again atmear:
I would stick with your current external IP's as before, but translate them to internal addresses this way it will keep things simpler. Chriskohn
0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Hi again atmear:
I would stick with your current external IP's as before, but translate them to internal addresses this way it will keep things simpler. I don't think you will have to bring up a new AD/DNS name space to do this if you keep the same IP address as before. Chriskohn
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
I would disagree at this point with Lrmoore about the one to one NAT. This would not impede a hacker as all your doing is translating an internal IP to an external IP but that doesn't stop them from getting to the box. If it were a dynamic nat, that would be a different story. I would leave the live address on it and implement some refined access lists to provide protection to that box. Also, it would be a good idea to put any of those boxes that would require live IP's into a DMZ to keep them separate from the rest of the network.

As for numbering, depending on your ip scheme and how many servers that you have, keep the numbers low for the servers like 10.1.1.1 to 10.1.1.254 and create a subnet of 10.1.2.1 to, lets say, 10.1.10.1 for all of the clients. Put all internet aware servers on a DMZ with a firewall between you and them and just open those holes that you would need to get to them. Why not rule out the Pix altogether and just let it play firewall instead of users connecting via VPN to it? Just put a Windows 2000 server with RRAS in your DMZ, as a matter of fact it could be your WEB server maybe, and then use RADIUS authentication on it to an IAS enabled box on the backside of the firewall? This way you would only need to open a couple holes on your firewall.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:atmear
Comment Utility
Let me ask this?

NAT or Access Lists? Which is safer/better?

0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
I would rather do an access list any day than to do a one to one nat that you get no benefit from. A hacker can still get to the box to do damage because your not doing anything to impede his path, all your doing is changing an internal IP to an external IP, however with access lists you can limit what ports he can get to the machine on. A one to one nat is good if you didn't want to change the IP address of a current box internal to your network, however, you want to make it available to the internet. I would put the machines that need to be available to the internet on a DMZ, use access lists to control access to them, or, put them behind your firewall on another segment and use both access lists and the firewall to protect them.
0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Hello again atmear:
in answer to your latest question again I will reiterate what I stated before:
If you wish to protect your DNS servers better, placing them inside and doing one to one NAT translations for them is probably a more secure way than having them in the DMZ, and you will still likely have access-control lists protecting them on the outside interface of the PIX. So overall they would be safer.
To implement Radius on a network server rather than locally on the PIX can be done. Here is a link which may help: http://www.cisco.com/warp/customer/110/cvpn3k_pix_ias.html
Notice again, that I recommended using access-control lists in addition to a one to one NAT trans. I would not recommend only the one to one NAT. Chriskohn
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Have any of these comments been of any help to you? Do you need more information?
0
 

Expert Comment

by:wilsonc001
Comment Utility
Hi Atmear,

I have to disagree with moving your DNS to the internal network. I recommend using a split DNS architecture. Leave a DNS server on the outside and only advertise the hosts that need to be seen from outside sources. (i.e. webservers, smtp servers, etc.) If your still uncomfortable with your DNS server on the outside then create an access-list on your external router only allowing port 53 traffic to your DNS server.

Provide a DNS server on the inside for local users. Enable forwarding on the inside DNS server to the outside server to resolve external addresses. Why advertise all your host records to the public if you don't need to. This only helps any potential intruder identify the hosts on your network.

Chris
0
 

Author Comment

by:atmear
Comment Utility
Well, the project has actually been complete for close to a month, I'll let everyone know what I did.

Keeping in mind that is rather difficult to explain the environment and all the variables that go with it, I will try to recap this all.

BEGINING- I ran an internal network off 192.169.1.X and access lists allowed internet traffic. I already had integrated dns for internal serving. Note- I also ran a bay router that handled traffic for my corporate WAN. On a DMZ I had a single Active Directory DC server that was serving as my web server, ftp server, external DNS server and some other company oriented roles.


MIDDLE- Then came the Re-IP. I needed to re-ip my network because I took on a project where I was bringing up a Citrix Server Farm that would be strictly serving an app to WAN/corporate users. At that point, I had a decision to make, keep my ip addressing the same, or bite the bullet, re-ip to corporate standards and be done with any kind of above and beyond difficulties I could face by having those servers protected in an environment where they did not truly need to be protected. I decided the re-ip would fit my needs greater due to the fact that I am my companies IT dept. 1 Guy + 12 Servers + 60 Users + 45 Desktops + 35 Laptops + taking on this Citrix Farm = Keep it flat and simple. (And ask for a raise) So... Youre probably wondering where in the heck my DNS question came from... Well, Seeing that I was about to reconfig all my Cisco Routers, switches and PIX... and I was about to drop 5 more servers along with 60K worth of other devices/services/software/etc... I had the mentality, why not scope out an over all change in the name of efficiency and manageability. So that brought me here.

END- So this is what I did. I went ahead and brought the Name Servers (DNS) up on two Win2K Servers on my inside network and joined them to my main Domain. I have replication going on between the two of them and everything seems to be working great. Concerning the PIX side of things, I slacked and just did a 1 for 1 NAT, but it does work. I have it in my mind to go back and try to increase security at a later time, but to be honest, I am not really sure how. I mean, I understand the difference between ACL's and NAT, but I am a jack of all trades, but this jack solely depends on Cisco's TAC to assist in any mods I make, because I am not what anyone would call proficient at making major config mods.

LOOKING BACK- In hind sight, I really do not like having those name servers on the inside, it really becomes confusing... primarily due to the fact that my FQDN is my both my companies actual web address and also my Active Directory FQDN. What I think would be an upgrade or advancement to what I have done, would be to create a secondary vlan and shove those servers off to the side and out of the AD Domain.

ADDED NOTE- In a strange twists of events, the CITRIX FARM that was developed and brought online ended coming up in its own AD namespace/domain and not being directly connected to my Domain. (Long story) Soooooo... here is my newest dilemma, I want to protect my domain from corporate (did I say that out loud?) I have a PIX 506 (small PIX) that I am thinking about throwing in between my corp. Bay router and my network and then NATing that through, and here is my question; my network is currently ip'ed similar to this 149.136.196.XXX so in the following scenario: Bay Router-IP_149.136.196.1 connects to new PIX-IP_149.136.196.9, can I easily nat or ACL traffic through my network out to corporate and stop anything from them coming in unless I have routed it via the router?

Second Question- If anyone actually reads this (I hope it is useful) and they have a suggestion as to what I should do or do different, let me know.

Many Thanks to everyone for there help. It will be difficult to choose and actual winner because you have all help is some fashion or another. I will wait for any forthcoming answers, and then award the points.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It appears that you have forgotten this question. I will ask Community Support to force close it unless you finalize it within 7 days.

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **

Please take a moment to revisit this question & reward your points or post additional commentary as appropriate.  Unless there is objection or further activity.

EXPERTS, please feel free to make a recommendation for points award.

If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points.  The link to the Community Support area is:

http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **
------------------------------------------------------------------------------------------------
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now