mrcomputerman
asked on
Setting up Two (2) Static IP Addresses for Two (2) Exchange Servers
Background:
I have a project where one company is splitting into two. Ownership wants to have two autonomous networks sharing one broadband pipe (T1). Security is a large concern. Ownership wants access to both sides but does not want other users to have access to both sides.
Currently, the Broadband connection comes to a Modem/Router then goes through a Watchguard Firewall which is subsequently connected to a dumb hub. At the end of all that is a Windows 2000 Server running Exchange and a seperate Windows 2000 Server acting as a simple file server.
The end result of this project should be two networks that have the same capability -namely, hosting exchange.
Question:
Firstly, can I simply request two (2) static IPs from the ISP and setup (2) routers on the WAN side with their respective Static IPs?
Secondly, how do I manage and evenly distribute broadband bandwidth between two networks? Is their a such thing as T1 modem per se? What hardware am I going to need? What hardware would you recommend?
Any suggestions on overall topology are welcomed. Your assistance is appreciated.
I have a project where one company is splitting into two. Ownership wants to have two autonomous networks sharing one broadband pipe (T1). Security is a large concern. Ownership wants access to both sides but does not want other users to have access to both sides.
Currently, the Broadband connection comes to a Modem/Router then goes through a Watchguard Firewall which is subsequently connected to a dumb hub. At the end of all that is a Windows 2000 Server running Exchange and a seperate Windows 2000 Server acting as a simple file server.
The end result of this project should be two networks that have the same capability -namely, hosting exchange.
Question:
Firstly, can I simply request two (2) static IPs from the ISP and setup (2) routers on the WAN side with their respective Static IPs?
Secondly, how do I manage and evenly distribute broadband bandwidth between two networks? Is their a such thing as T1 modem per se? What hardware am I going to need? What hardware would you recommend?
Any suggestions on overall topology are welcomed. Your assistance is appreciated.
Question 1, yes you can.. Do you want your exchange server to have their own IP? or do you want to do port fowarding to your exchange server? If you only do port fowarding, then you need 2 public IP, if you want your servers to have their own IP, you'll need 4...
That is what you need to do right?
Internet
|
Provider's router
/ \
Router1 -- Router2
| |
Exch1 Exch2
Internet
|
Provider's router
/ \
Router1 -- Router2
| |
Exch1 Exch2
ASKER
One of the objectives of this project was to design the network in such a way that would be easily relocated (hardware and all). With that said, I want two seperate networks -each with it's own static ip. The only thing that should be shared is the broadband connection.
So to answer your question, I believe I want a static (public) ip address for each router and ports forwarded for exchange and other services on both sides. Again, the ONLY thing that should be shared between the two is the broadband connection. In Yan West's diagram I see a connection between Router1 and Router2 - What is this (connection)? And is it necessary?
In regards to hardware, is there a firewall/router (combination) that would be a good fit in this setup? We plan to add VPN capability in the future. Keep in mind however, that there is no formal IT dept, so ease of use is important. I'm somewhat fond of Watchguard.
Please let me know if I'm not being concise and clear.
So to answer your question, I believe I want a static (public) ip address for each router and ports forwarded for exchange and other services on both sides. Again, the ONLY thing that should be shared between the two is the broadband connection. In Yan West's diagram I see a connection between Router1 and Router2 - What is this (connection)? And is it necessary?
In regards to hardware, is there a firewall/router (combination) that would be a good fit in this setup? We plan to add VPN capability in the future. Keep in mind however, that there is no formal IT dept, so ease of use is important. I'm somewhat fond of Watchguard.
Please let me know if I'm not being concise and clear.
BTW I installed the link between the 2 routers to let the 2 network communicate togetter. Why? Because you have to have some access between the 2.. even if it's only for yourself. You would setup an ACL Defining that access. Usually, you do not have access to your provider's router. That is why i the routing should be done directly between these 2 routers..
I would definitly go with a single firewall setup btw.. one with multiple interfaces supporting VPN..
Cisco's pix firewall can't be beaten in my own opinion..
You would use a PIX 515E or a PIX 525, depending on the traffic you'll generate, how many vpn tunnels/clients will be up, etc..etc..
Using this setup, the diagram would be like this
Internet
|
Provider'S router
|
PIX FIREWALL
/ \
Exch1 Exch2
(network1) (Network 2)
Then woudlnt be able to do simple port fowarding, because you can only foward port 25 on 1 address. So you would have to have a public IP for
1- You Firewall
2- Exch1
3- Exch2
Using ACLS in your firewall, you would be able to determine the rules that allows/deny traffic between the different interfaces.
PIX 515E
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4094/index.html
PIX 525
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2118/index.html
These firewalls supports VPN Accelerator cards, and multiple interfaces..
I would definitly go with a single firewall setup btw.. one with multiple interfaces supporting VPN..
Cisco's pix firewall can't be beaten in my own opinion..
You would use a PIX 515E or a PIX 525, depending on the traffic you'll generate, how many vpn tunnels/clients will be up, etc..etc..
Using this setup, the diagram would be like this
Internet
|
Provider'S router
|
PIX FIREWALL
/ \
Exch1 Exch2
(network1) (Network 2)
Then woudlnt be able to do simple port fowarding, because you can only foward port 25 on 1 address. So you would have to have a public IP for
1- You Firewall
2- Exch1
3- Exch2
Using ACLS in your firewall, you would be able to determine the rules that allows/deny traffic between the different interfaces.
PIX 515E
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4094/index.html
PIX 525
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2118/index.html
These firewalls supports VPN Accelerator cards, and multiple interfaces..
If your Watchguard firewall is not from the Soho family nor the Firebox X Edge family, you can set up the configuration described by Yan_west by using the "Trusted" port for network1 and "Optional" port for network2 (Firebox II and III denomination - it would be port 1 and port 2 on the Firebox X series). If you have a Soho, you will have to change your firewall.
ASKER
If at all possible, I'd like to have a firewall on each side -simply because I'd want the ability to pick up and move the entire network on one side without any adverse effects on the other side. Is that plausible or is this bad design?
Furthermore, I imagined having access to both sides via terminal services (simply connecting via public IP to the server). Again, is this bad design?
Ultimately, these two companies will split sometime in the near future and will have two (2) different physical locations. This network needs to be designed with that in mind.
A question in my initial posting that has yet to be addressed is, "how do I manage and evenly distribute broadband bandwidth between two networks? Is their a such thing as T1 modem per se? What hardware am I going to need? What hardware would you recommend?"
This was what I had in mind:
Internet
|
Providers' Router
/ \
Firewall/Router 1 Firewall /Router2
*PUBLIC IP 1 *PUBLIC IP 2
/ \
Exchange 1 Exchange 2
*The Public IPs would be on the WAN side of the Firewall/Router with ports forwarded to each exchange server.
Is this layout possible? Does it make sense? What hardware is necessary to make this happen? EASE OF USE IS PARAMOUNT. Preferably GUI instead of command line configuration.
Furthermore, I imagined having access to both sides via terminal services (simply connecting via public IP to the server). Again, is this bad design?
Ultimately, these two companies will split sometime in the near future and will have two (2) different physical locations. This network needs to be designed with that in mind.
A question in my initial posting that has yet to be addressed is, "how do I manage and evenly distribute broadband bandwidth between two networks? Is their a such thing as T1 modem per se? What hardware am I going to need? What hardware would you recommend?"
This was what I had in mind:
Internet
|
Providers' Router
/ \
Firewall/Router 1 Firewall /Router2
*PUBLIC IP 1 *PUBLIC IP 2
/ \
Exchange 1 Exchange 2
*The Public IPs would be on the WAN side of the Firewall/Router with ports forwarded to each exchange server.
Is this layout possible? Does it make sense? What hardware is necessary to make this happen? EASE OF USE IS PARAMOUNT. Preferably GUI instead of command line configuration.
You don't really need 2 firewall.. both network would be completly independant in the design I gave you..
Using my design, you will have access to both networks via terminal services.. I would do it Via a VPN Connection btw.. connecting yourself via remote desktop out of a ipsec secure connection would not be very secure..
If you want to eventually split your network in 2 completly different network, at 2 physical location, they YES you would need 2 firewalls.. depending on the size of your new organizations, a PIX 506E would now be enough, and would be less costly too.. The design you provided us would be fine at this moment..
Pix 506e (command line + GUI possible)
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4336/
btw.. what you want is Load Balancing for your internet connection. I only know about this if you have 2 independant internet connection comming in your network.. you could do that with this kind of device:
http://www.foundrynet.com/switch/linkload.html
But to load balance between 2 networks and 1 connection? No idea..
Using my design, you will have access to both networks via terminal services.. I would do it Via a VPN Connection btw.. connecting yourself via remote desktop out of a ipsec secure connection would not be very secure..
If you want to eventually split your network in 2 completly different network, at 2 physical location, they YES you would need 2 firewalls.. depending on the size of your new organizations, a PIX 506E would now be enough, and would be less costly too.. The design you provided us would be fine at this moment..
Pix 506e (command line + GUI possible)
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4336/
btw.. what you want is Load Balancing for your internet connection. I only know about this if you have 2 independant internet connection comming in your network.. you could do that with this kind of device:
http://www.foundrynet.com/switch/linkload.html
But to load balance between 2 networks and 1 connection? No idea..
ASKER
Question 1: Just to be clear -will my design work? Is it bad design? Please explain your answer.
Question 2: Is the PIX 506E a firewall and a router? Is it easy to setup for someone with no experience with Cisco?
Question 3: Is there any other hardware besides the firewalls that I need to have?
Question 4: Is there such a thing as a T1 modem? Typically, what equipment do ISPs provide?
Lastly, Please explain how these devices connect.
Question 2: Is the PIX 506E a firewall and a router? Is it easy to setup for someone with no experience with Cisco?
Question 3: Is there any other hardware besides the firewalls that I need to have?
Question 4: Is there such a thing as a T1 modem? Typically, what equipment do ISPs provide?
Lastly, Please explain how these devices connect.
If you have one incomming Internet connection and two networks, stick to one firewall with multi-port capability as you would need one port for each company network. This design is easy to implement and will have the same functionnality, security features and access controls as a theoritical (as I do not know if it is possible to split one incoming Internet to two firewalls even with additional hardware) 2 firewalls solution. As well, the configuration work when you do the "physical" company network separation would be the same if you add a new firewall at that time or have to move the previously configured firewall to the new place. In short, my recommendation is to use one firewall until you do the final split. There is no reason to have 2 firewalls until then. Now, if you absolutly want to have a 2 firewall design, I would do it like this:
Internet
|
ISP's Router
|
Firewall 1
/ \
Exchange 1 Firewall 2
\
Echange 2
Hope this helps ;-)
Internet
|
ISP's Router
|
Firewall 1
/ \
Exchange 1 Firewall 2
\
Echange 2
Hope this helps ;-)
Abissa config would be fine also mrcomp :) Like I advised you, you should stick with a multiple interface firewall.. If you move your network to a new location eventually, you'll only have to purchase a second one, and add it to your config.
Your design would work if your provider'S router has multiple interfaces.. Usually, these router only have a WAN interface, and only one other for your network.... so it would not work in this case..
Yes, all PIX Firewalls route traffic between their interfaces, no problem to that.. but the 506E only has 2 interfaces.. so if you need to make a more complex configuration, your caught, and can't do anything.
You do not need any other hardware then what you told us in your diagram.. I'm sure you already have your switches installed.
Usually, Providers provide you with the connection, the modem and the router.. T1 line plugs directly in the modem via a special interface card..
Your design would work if your provider'S router has multiple interfaces.. Usually, these router only have a WAN interface, and only one other for your network.... so it would not work in this case..
Yes, all PIX Firewalls route traffic between their interfaces, no problem to that.. but the 506E only has 2 interfaces.. so if you need to make a more complex configuration, your caught, and can't do anything.
You do not need any other hardware then what you told us in your diagram.. I'm sure you already have your switches installed.
Usually, Providers provide you with the connection, the modem and the router.. T1 line plugs directly in the modem via a special interface card..
not the modem, sorry, the router :)
ASKER
In regards to Yan West's Diagram:
Internet
|
Provider'S router
|
PIX FIREWALL
/ \
Exch1 Exch2
(network1) (Network 2)
Yan West explains that I will need 1 Public IP for the router 1 Public IP for each of the exchange servers for a total of three. However, I do not want to assign a static IP to the exchange server. Instead I want a Public IP assigned to a router and forward the neccessary ports; pop3, terminal services, pcanywhere etc -which, btw, may all point to different machines. (Sure I could forward ports on the server - but that is not ideal and is bad design in my opinion. What happens if the server crashes?)
I need a scheme more akin to Yan West's very first layout:
Internet
|
Provider's router
/ \
Router1 -- Router2
| |
Exch1 Exch2
But it needs to be firewalled and it needs to be easy to setup and maintain. I need to know the number of public ips and hardware that is neccesary to make this happen.
Internet
|
Provider'S router
|
PIX FIREWALL
/ \
Exch1 Exch2
(network1) (Network 2)
Yan West explains that I will need 1 Public IP for the router 1 Public IP for each of the exchange servers for a total of three. However, I do not want to assign a static IP to the exchange server. Instead I want a Public IP assigned to a router and forward the neccessary ports; pop3, terminal services, pcanywhere etc -which, btw, may all point to different machines. (Sure I could forward ports on the server - but that is not ideal and is bad design in my opinion. What happens if the server crashes?)
I need a scheme more akin to Yan West's very first layout:
Internet
|
Provider's router
/ \
Router1 -- Router2
| |
Exch1 Exch2
But it needs to be firewalled and it needs to be easy to setup and maintain. I need to know the number of public ips and hardware that is neccesary to make this happen.
Doing port fowarding like you are doing for all services are *NOT* a secure thing... Terminal services/pcanyware should not be directly accessed via the internet. You should *ONLY* access them through a secure VPN Connection. SMTP Has to be accessed directly, but not the other things.. the *ONLY* thing that should be opened is port 25, for smtp and port 443(SSL) for Outlook web access. nothing else.
TO do the second diagram, your provider'S router would need to have 2 interfaces for your 2 other Firewall/router that are in your network. Usually, these routers do not have this many interfaces. Secondly, a setup like this *cannot* be that simple... why not simply going with my 1st diagram in your previous post, and purchase a second firewall when you move your network?
if your provider have a 3 interfaces router, then yes you could do this
Internet
|
Provider's router
/ \
Firewall1 Firewall2
| |
Exch1 Exch2
and when you would move your network, you would only take everything behind firewall 2 and move it to another localtion, along with firewall 2, and hook it up the new internet connection.
TO do the second diagram, your provider'S router would need to have 2 interfaces for your 2 other Firewall/router that are in your network. Usually, these routers do not have this many interfaces. Secondly, a setup like this *cannot* be that simple... why not simply going with my 1st diagram in your previous post, and purchase a second firewall when you move your network?
if your provider have a 3 interfaces router, then yes you could do this
Internet
|
Provider's router
/ \
Firewall1 Firewall2
| |
Exch1 Exch2
and when you would move your network, you would only take everything behind firewall 2 and move it to another localtion, along with firewall 2, and hook it up the new internet connection.
ASKER
The first diagram:
Internet
|
Provider'S router
|
PIX FIREWALL
/ \
Exch1 Exch2
(network1) (Network 2)
This diagram demands thats I assign a static public ip to each exchange server which also means that it is a permanent fixture in this network. What happens if the server crashes? No one outside will have access to any internal resources because all the ports are forwarded through this machine.
Why is forwarding a port such as 3389 (terminal services) on a router insecure?!
What is necessary on the client and server end to create the secure VPN connection that you're talking about (hardware and software)?
Internet
|
Provider'S router
|
PIX FIREWALL
/ \
Exch1 Exch2
(network1) (Network 2)
This diagram demands thats I assign a static public ip to each exchange server which also means that it is a permanent fixture in this network. What happens if the server crashes? No one outside will have access to any internal resources because all the ports are forwarded through this machine.
Why is forwarding a port such as 3389 (terminal services) on a router insecure?!
What is necessary on the client and server end to create the secure VPN connection that you're talking about (hardware and software)?
If the server crash? you mean, if the firewall crash right? If the firewall crash, it's like anything else, you must have a service contract of 4 hours for repair on it..
Ok, why is opening port 3389 bad.. because if someone scans the internet, and endup scanning your ip for opened port, he will see that port 3389 is opened, with this, he can use some tools to try to get in your network.. (brute force password detection, etc..).. also, if he has a remote desktop client, he can simply type your IP, and he will get a windows login prompt automaticly..
THe big majority of today'S firewall have integrated VPN. after you have configured your firewall for VPN Access, you can give your users a VPN Client software. This software will create a secure tunnel going through the internet, into your network. This tunnel will be heavily encrypted, so no one can see what is passing through it.
Ex: with the cisco Pix you can use the cisco vpn client, netgear Firewall also have their own clients.. etc..
Ok, why is opening port 3389 bad.. because if someone scans the internet, and endup scanning your ip for opened port, he will see that port 3389 is opened, with this, he can use some tools to try to get in your network.. (brute force password detection, etc..).. also, if he has a remote desktop client, he can simply type your IP, and he will get a windows login prompt automaticly..
THe big majority of today'S firewall have integrated VPN. after you have configured your firewall for VPN Access, you can give your users a VPN Client software. This software will create a secure tunnel going through the internet, into your network. This tunnel will be heavily encrypted, so no one can see what is passing through it.
Ex: with the cisco Pix you can use the cisco vpn client, netgear Firewall also have their own clients.. etc..
ASKER
Quote from Yan West "If the server crash? you mean, if the firewall crash right?"
I'm slightly confused. If the Public IP is assigned to the server doesn't that mean that all traffic to that IP would be routed by the server (i.e. port 3389 -> 192.168.x.x, port 80 -> 192.168.x.x, etc.) ? Subsequently, if the server crashes there is nothing to route that traffic -right?
I assume that we're assigning static (public) ips to each of the servers because the firewall cannot route traffic for 2 public ip addresses. Am I on the right track or no? Is traffic for both of these (public) ip addresses handled by the PIX firewall? Which device is handling routing (or DHCP for that matter)?
I'm slightly confused. If the Public IP is assigned to the server doesn't that mean that all traffic to that IP would be routed by the server (i.e. port 3389 -> 192.168.x.x, port 80 -> 192.168.x.x, etc.) ? Subsequently, if the server crashes there is nothing to route that traffic -right?
I assume that we're assigning static (public) ips to each of the servers because the firewall cannot route traffic for 2 public ip addresses. Am I on the right track or no? Is traffic for both of these (public) ip addresses handled by the PIX firewall? Which device is handling routing (or DHCP for that matter)?
No, traffic to the server, is routed by the firewall, to the server.
let's say your server as an public ip of 1.2.3.4 (whatever)..
All request to this address pass through your provider'S router. After, they knock at the door of your firewall. You firewall says: Do I know this address? Yes? Ok, send the traffic over to 192.168.1.6 (that would be your exchange server private ip).. you don't have to configure your exchange server with this ip btw... You only have to tell the firewall that everything to this public address should be sent to a certain private IP (exchange server)..
"I assume that we're assigning static (public) ips to each of the servers because the firewall cannot route traffic for 2 public ip addresses. Am I on the right track or no? Is traffic for both of these (public) ip addresses handled by the PIX firewall? Which device is handling routing (or DHCP for that matter)?"
Exactly :) the firewall is handling the routing.. basicly it allows nothing in from the internet, but everything else inside is opened.. (from the inside to the outside, and from inside interface 1 to inside interface 2). After this, you can compose rules that gives restriction like.
Allow only traffic on port 25 from the internet to get in my network, but ONLY when the target is this X public IP, and only to this Y private IP...
Or
Allow only traffic from Private IP Z on network 1 to go to private ip A on network 2..
The possibilities are infinite.. hehe.
Example of PIX ACLS..
This is my config for my ouside interface (this can also be configure via GUI):
access-list acl_outside permit tcp any host 207.22.33.44 eq smtp
access-list acl_outside permit tcp any host 207.22.33.44 eq https
access-list acl_outside deny ip any any
first line = let port 25 in for host 207.22.33.44
second line = let port 443 in for host 207.22.33.44
third line = Block everything else..
Later in my config i have:
static (inside,outside) 207.22.33.44 192.168.1.5 netmask 255.255.255.255 0 0
This tells my router that everything comming for address 207.22.33.44 is sent to private address 192.168.1.5
let's say your server as an public ip of 1.2.3.4 (whatever)..
All request to this address pass through your provider'S router. After, they knock at the door of your firewall. You firewall says: Do I know this address? Yes? Ok, send the traffic over to 192.168.1.6 (that would be your exchange server private ip).. you don't have to configure your exchange server with this ip btw... You only have to tell the firewall that everything to this public address should be sent to a certain private IP (exchange server)..
"I assume that we're assigning static (public) ips to each of the servers because the firewall cannot route traffic for 2 public ip addresses. Am I on the right track or no? Is traffic for both of these (public) ip addresses handled by the PIX firewall? Which device is handling routing (or DHCP for that matter)?"
Exactly :) the firewall is handling the routing.. basicly it allows nothing in from the internet, but everything else inside is opened.. (from the inside to the outside, and from inside interface 1 to inside interface 2). After this, you can compose rules that gives restriction like.
Allow only traffic on port 25 from the internet to get in my network, but ONLY when the target is this X public IP, and only to this Y private IP...
Or
Allow only traffic from Private IP Z on network 1 to go to private ip A on network 2..
The possibilities are infinite.. hehe.
Example of PIX ACLS..
This is my config for my ouside interface (this can also be configure via GUI):
access-list acl_outside permit tcp any host 207.22.33.44 eq smtp
access-list acl_outside permit tcp any host 207.22.33.44 eq https
access-list acl_outside deny ip any any
first line = let port 25 in for host 207.22.33.44
second line = let port 443 in for host 207.22.33.44
third line = Block everything else..
Later in my config i have:
static (inside,outside) 207.22.33.44 192.168.1.5 netmask 255.255.255.255 0 0
This tells my router that everything comming for address 207.22.33.44 is sent to private address 192.168.1.5
ASKER
Great explanation!
So I guess my final question would be, can the pix firewall route traffic for two public ips?
Simply put, can I program the firewall with two (Public) IPs and use the firewall to route that traffic? For instance, I want port 3389 for Public IP 1.2.3.4 to got to 192.168.1.1 and I want port 3389 for Public IP 1.2.3.3 to go to 10.0.0.5. BTW, I understood your point about the port scanning and closing 3389 but I'm using 3389 for the purposes of this example (and because I might have to do this temporarily until I figure this VPN deal out). :)
Lastly, can the firewall serve as a DHCP Server for Network 1 & 2 (please see our diagrams)? If not, what do you recommend?
So I guess my final question would be, can the pix firewall route traffic for two public ips?
Simply put, can I program the firewall with two (Public) IPs and use the firewall to route that traffic? For instance, I want port 3389 for Public IP 1.2.3.4 to got to 192.168.1.1 and I want port 3389 for Public IP 1.2.3.3 to go to 10.0.0.5. BTW, I understood your point about the port scanning and closing 3389 but I'm using 3389 for the purposes of this example (and because I might have to do this temporarily until I figure this VPN deal out). :)
Lastly, can the firewall serve as a DHCP Server for Network 1 & 2 (please see our diagrams)? If not, what do you recommend?
Yes it can..
Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip.. you would then put multiple line like this in your config,
static (inside,outside) 207.22.33.44 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 207.22.33.45 192.168.1.6 netmask 255.255.255.255 0 0
and also
access-list acl_outside permit tcp any host 207.22.33.44 eq 3389
access-list acl_outside permit tcp any host 207.22.33.45 eq 3389
Last point, don't use your firewall to provide DHCP, always use your windows 2000 Domain controller.. Why? Because your 2000 DHCP can pass additional information to clients that your firewall cannot. (ex: Proxy, DNS, Gateway, etc..) You also have a nice interface to manage your DHCP SCOPE, you can also naje Address reservation. Address reservation is something that let your DHCP Server give an address to a client, and always give the same address, exactly like it would be a fixed address. Why do this? Because sometimes, you run out of static addresses and the only one available are in your DHCP Scope.
Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip.. you would then put multiple line like this in your config,
static (inside,outside) 207.22.33.44 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 207.22.33.45 192.168.1.6 netmask 255.255.255.255 0 0
and also
access-list acl_outside permit tcp any host 207.22.33.44 eq 3389
access-list acl_outside permit tcp any host 207.22.33.45 eq 3389
Last point, don't use your firewall to provide DHCP, always use your windows 2000 Domain controller.. Why? Because your 2000 DHCP can pass additional information to clients that your firewall cannot. (ex: Proxy, DNS, Gateway, etc..) You also have a nice interface to manage your DHCP SCOPE, you can also naje Address reservation. Address reservation is something that let your DHCP Server give an address to a client, and always give the same address, exactly like it would be a fixed address. Why do this? Because sometimes, you run out of static addresses and the only one available are in your DHCP Scope.
ASKER
Here's my wrap-up;
1) "When you say, "Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip..."
By private ip I assume you're talking about the internal ip (i.e. 192.168.x.x) -right?
2) So the only hardware that I need to be concerned about is the firewall and you recommend the Cisco PIX firewall. How do you rate it for:
A. ease of setup
B. ease of use
C. scalability
and D. vendor support? If I were exploring alternatives what features do I need to look for?
1) "When you say, "Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip..."
By private ip I assume you're talking about the internal ip (i.e. 192.168.x.x) -right?
2) So the only hardware that I need to be concerned about is the firewall and you recommend the Cisco PIX firewall. How do you rate it for:
A. ease of setup
B. ease of use
C. scalability
and D. vendor support? If I were exploring alternatives what features do I need to look for?
ASKER
Quick additional question - How many ip (public) addresses do I need? and why? It would be helpful if I could see your diagram with hardware and the static IP that is associated with each.
Thanx
Thanx
sorry, own public ip :) made an error :)
Ease of setup and of use: pretty easy if you use the GUI, Hard with the command line interface.. But the command line interface is MUCH MORE POWERFULL :)
C. Scalability: Great.. yo if you purchase a 515 modem or more, you can add in other interfaces, VPN Accelerator card, etc.. I'm not going to lie to you, they are more expensive, but they are the Best, most recommended firewall on the market.
You have to purchase a support contract from cisco that you have to renew each year after this.. their support is lightning fast, and you always speak with people that are so competant that it makes you feel like a child :).. the support contract is also pretty expensive..
If you want something cheaper, and a bit easier to use, you could get a netscreen firewall.. they are also very good,
one of these would be nice for you : http://www.juniper.net/products/glance/nscn_25_50.html The 25 model is propably ok :), I cannot tell you anything about them technicaly, I never used them, I only heard alot of good of them..
Ease of setup and of use: pretty easy if you use the GUI, Hard with the command line interface.. But the command line interface is MUCH MORE POWERFULL :)
C. Scalability: Great.. yo if you purchase a 515 modem or more, you can add in other interfaces, VPN Accelerator card, etc.. I'm not going to lie to you, they are more expensive, but they are the Best, most recommended firewall on the market.
You have to purchase a support contract from cisco that you have to renew each year after this.. their support is lightning fast, and you always speak with people that are so competant that it makes you feel like a child :).. the support contract is also pretty expensive..
If you want something cheaper, and a bit easier to use, you could get a netscreen firewall.. they are also very good,
one of these would be nice for you : http://www.juniper.net/products/glance/nscn_25_50.html The 25 model is propably ok :), I cannot tell you anything about them technicaly, I never used them, I only heard alot of good of them..
ASKER
Yan West writes, "sorry, own public ip :) made an error :)"
I don't understand what you mean by the above.
These questions still remain:
1) "When you say, "Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip..." By private ip I assume you're talking about the internal ip (i.e. 192.168.x.x) -right?
2) How many ip (public) addresses do I need? and why? It would be helpful if I could see your diagram with hardware and the static IP that is associated with each.
I feel that all my questions have been answered with the exception of these two. Could you please post the final diagram with the hardware (make & model) and note which device is responsible for handling each IP that is neccesary?
Thank you.
I don't understand what you mean by the above.
These questions still remain:
1) "When you say, "Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip..." By private ip I assume you're talking about the internal ip (i.e. 192.168.x.x) -right?
2) How many ip (public) addresses do I need? and why? It would be helpful if I could see your diagram with hardware and the static IP that is associated with each.
I feel that all my questions have been answered with the exception of these two. Could you please post the final diagram with the hardware (make & model) and note which device is responsible for handling each IP that is neccesary?
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can the cisco pix route traffic for an unlimited number of public ips?
I assume by interfaces you mean RJ45 ports? 1 for the ISP Router and 1 for each switch (for a total of three)?
I assume by interfaces you mean RJ45 ports? 1 for the ISP Router and 1 for each switch (for a total of three)?
We route 5.. i never found any specification on how many it does.. but i would assume that you can add up as many as you want in there..
Yes, that's it, rj 45 ports.. speak with a provider about this for prices and specification.. there is a 1 year warranty on the pix, you have to purchase a support contract for all the next years.. it'S called Cisco SMART support contract..
Yes, that's it, rj 45 ports.. speak with a provider about this for prices and specification.. there is a 1 year warranty on the pix, you have to purchase a support contract for all the next years.. it'S called Cisco SMART support contract..
ASKER
OK. Assuming that I understand your explanation to the following, this will be my last post.
Just for clarity's sake - One Cisco PIX switch with an additional interface card will route traffic for three IPs? Which means that I can forward any port anywhere for any of these IPs?
Again, why does the firewall need it's own (public) IP? Why not just the two for the exchange servers?
Will the firewall have a single private address or will there be a private address for each interface (rj45 port)?
Please be thorough.
Just for clarity's sake - One Cisco PIX switch with an additional interface card will route traffic for three IPs? Which means that I can forward any port anywhere for any of these IPs?
Again, why does the firewall need it's own (public) IP? Why not just the two for the exchange servers?
Will the firewall have a single private address or will there be a private address for each interface (rj45 port)?
Please be thorough.
ok, it'S a pix firewall not switch :)
yes, it will route traffic for multiple public IP... no problem..
the PIX need a public IP because it has an outside interface directly plugged on the internet.. if you ever need to connect yourself via VPN to your network, you will need to indicate the public IP of the firewall to be able to make a tunnel.. the tunnel is between your computer, and the firewall.. so you need the firewall public IP to do it..
yes, it will route traffic for multiple public IP... no problem..
the PIX need a public IP because it has an outside interface directly plugged on the internet.. if you ever need to connect yourself via VPN to your network, you will need to indicate the public IP of the firewall to be able to make a tunnel.. the tunnel is between your computer, and the firewall.. so you need the firewall public IP to do it..
BTW, i would recommend that your initial setup, in any case, should be done by a professional with experience in this domain... you will pay 300-500$ of setup, but you will be sure that everything is fine..
Oh, and the firewall will have a single private address on the outside interface.
The 2 other interfaces will have private addresses.. (on the same address range of your private lans..)
Oh, and the firewall will have a single private address on the outside interface.
The 2 other interfaces will have private addresses.. (on the same address range of your private lans..)
ASKER
Yan, you've been most excellent.
I appreciate the recommendation of hiring a professional but in this case I'm it. Unless I delv in and do it, I'll never learn. And I'm here to learn.
Trust me, I'll figure it out -even if I end up buying two of everything! LOL
Thanx Again.
I appreciate the recommendation of hiring a professional but in this case I'm it. Unless I delv in and do it, I'll never learn. And I'm here to learn.
Trust me, I'll figure it out -even if I end up buying two of everything! LOL
Thanx Again.
My pleasure :)
also check the netscreen firewalls, heard they were excellent btw.. and I think they are easier to setup.. read about it as much as you can...
also check the netscreen firewalls, heard they were excellent btw.. and I think they are easier to setup.. read about it as much as you can...
Yan,
I have a situation that is similar to this that I would like you to participate in the resolution. I posted it today as: Allowing two Exchange 2003 servers to communicate behind a PIX 515 firewall. If you have time please take and look and let me know what you think.
I have a situation that is similar to this that I would like you to participate in the resolution. I posted it today as: Allowing two Exchange 2003 servers to communicate behind a PIX 515 firewall. If you have time please take and look and let me know what you think.
give me the link to it.. i'll check it out as soon as I have a little time.. :) i'm kindda in a rush right now lol