Solved

Registered IP addressing

Posted on 2004-09-27
7
269 Views
Last Modified: 2010-04-10
Hi there,

My company wants to establish a VPN link, hosts its own web server, email server and ftp server (Each on a different machine). I'm a little unsure of the required number of registered (static) IP needed & how to set it up.

1. Can I only use ONE registered (static) IP address on a DNS server. This DNS server will then route the message to the other server (ftp, web and email server) using private IP address. See the following:


INTERNET---router----DNS----Firewall----Switch---other server
             (Registered IP 1)      (Private IP address..................)


2. Or do i need to have a Registered Public IP address for each of my web, email, and ftp server. See the following:


INTERNET-------router ------Web server  (Registered IP 1)
                                 ------Email server (Registered IP 2)
                                 ------ftp server     (Registered IP 3)
                                 ------Firewall ---------LAN
                                  (Registered IP 4)   (Private Address)
 
3. Or is there a better way to do this?

Pls clarify and thank you very much.

Confused,
hawkm
0
Comment
Question by:hawkm
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:cagri
ID: 12167057
Things seem a bit confused;

1. DNS does not do the routing you are looking for, this conversion is called as NAT (network address translation) or a special form of it, PAT (port address translation) and performed by routers and firewalls. Almost all of the routers support this features, so you may use the existing router for the purpose.

What is to be done is to put static translation statements on the router like

static.ip port 80 maps to internal1.myorg.com port:80
static.ip port 23 maps to internal2.myorg.com port:21
static.ip port 25 maps to internal3.myorg.com port:25

and so on, so the router looks at the TCP/UDP port and forwards the packets to the appropirate server in the inside.

If you have enought number of external,static addresses, it is better to assign on for each of the important servers since it gives you much more flexibility.

Hope this helps,
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12167726
You've got 2 basic scenarios:

1) Get a single public IP address, and use PAT as cagri says to map port numbers on the router to services behind the firewall.
2) Get multiple public IP addresses, one for each server.

How you do it is up to you: scenario 1 is cheaper (single public IP) and more secure (none of your servers are directly exposed) but more complex to set up. Scenario 2 is more expensive (more IP's) less secure (servers are directly exposed) but easier to set up.

In addition, some of these services are not necessarily that easy to PAT, FTP can use a number of different ports (see http://slacksite.com/other/ftp.html) and some VPN solutions are impossible to PAT(eg, Win2k l2tp/ipsec).

NB, looking at your sample layout, you only have a router between the internet and your servers - this needs to be either running firewall software or replaced with a firewall. You do not want to put servers directly on the internet without control of what traffic is able to hit them.

Given all the above, the answer to your question is lots more questions - whatever route you go down, you need to understand exactly which implementations of the server technologies you are using (MS VPN, Cisco VPN, ......., MS FTP, etc), what the limitations of those technologies are, and what ports they are configured to use.

If you can post any details, we'll try and advise.
0
 

Author Comment

by:hawkm
ID: 12175817
I think my boss will be more interested in the cheaper sollution (Only 1 Public ip address). What do you think of the setup below?


INTERNET----ADSL ROUTER---Firewall----Switch----Servers
                  (Static Public IP)  (---------Private IP-------------)


I'm not sure about the brand or type of ADSL router our company will be using.

The Firewall we are using however is a WatchGuard Firebox 700. (with 1 internal interface, 1 external interface and 1 optional interface)

I'm thinking of using the WatchGuard Firebox to establish VPN connection.

What do you think?

Thanks a lot!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Accepted Solution

by:
swinterborn earned 50 total points
ID: 12177581
If you have access to a decent firewall, use it!

Use the optional interface on the Firebox to create a DMZ:

INTERNET---ADSL---Firewall-----LAN
                                |
                            Servers

This is a standard configuration, allowing you to place extremely restrictive rules on Internet/LAN traffic, open up pinholes for Internet/Server traffic, and pinholes for Server/LAN traffic.

As with any config like this, it will take some testing to verify exactly which ports need to be opened up between which servers for your apps - basic rule of thumb is, close everything and open up one port at a time until the app works.

For the paranoid and rich, the ideal solution would be 2 firewalls, not the same type, so if there was a flaw in one, the second would still protect the LAN:

INTERNET---ADSL---Firewall A-----Servers----Firewall B----LAN

Cheers
0
 

Author Comment

by:hawkm
ID: 12186268
Ok, i think i get u... Is this correct?

                                           (PAT & NAT enabled)
INTERNET---------ADSL----------Firewall(Private IP)-----LAN
                 (1 Static Public IP)               |           (Private IPs)
                                                      Switch
                                                          |
                                                     Servers
                                                  (Private IPs)
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12188820
Thats it
0
 

Author Comment

by:hawkm
ID: 12196041
Thank you very much u guys/gals!!! U've helped me a lot!
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 73
ASA Deny No Connection PSH ACK, Traffic is dropped 10 66
DHCP DNS Set up 4 59
What are acceptable WiFi signal strengths 6 55
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now