Solved

Registered IP addressing

Posted on 2004-09-27
7
268 Views
Last Modified: 2010-04-10
Hi there,

My company wants to establish a VPN link, hosts its own web server, email server and ftp server (Each on a different machine). I'm a little unsure of the required number of registered (static) IP needed & how to set it up.

1. Can I only use ONE registered (static) IP address on a DNS server. This DNS server will then route the message to the other server (ftp, web and email server) using private IP address. See the following:


INTERNET---router----DNS----Firewall----Switch---other server
             (Registered IP 1)      (Private IP address..................)


2. Or do i need to have a Registered Public IP address for each of my web, email, and ftp server. See the following:


INTERNET-------router ------Web server  (Registered IP 1)
                                 ------Email server (Registered IP 2)
                                 ------ftp server     (Registered IP 3)
                                 ------Firewall ---------LAN
                                  (Registered IP 4)   (Private Address)
 
3. Or is there a better way to do this?

Pls clarify and thank you very much.

Confused,
hawkm
0
Comment
Question by:hawkm
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:cagri
ID: 12167057
Things seem a bit confused;

1. DNS does not do the routing you are looking for, this conversion is called as NAT (network address translation) or a special form of it, PAT (port address translation) and performed by routers and firewalls. Almost all of the routers support this features, so you may use the existing router for the purpose.

What is to be done is to put static translation statements on the router like

static.ip port 80 maps to internal1.myorg.com port:80
static.ip port 23 maps to internal2.myorg.com port:21
static.ip port 25 maps to internal3.myorg.com port:25

and so on, so the router looks at the TCP/UDP port and forwards the packets to the appropirate server in the inside.

If you have enought number of external,static addresses, it is better to assign on for each of the important servers since it gives you much more flexibility.

Hope this helps,
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12167726
You've got 2 basic scenarios:

1) Get a single public IP address, and use PAT as cagri says to map port numbers on the router to services behind the firewall.
2) Get multiple public IP addresses, one for each server.

How you do it is up to you: scenario 1 is cheaper (single public IP) and more secure (none of your servers are directly exposed) but more complex to set up. Scenario 2 is more expensive (more IP's) less secure (servers are directly exposed) but easier to set up.

In addition, some of these services are not necessarily that easy to PAT, FTP can use a number of different ports (see http://slacksite.com/other/ftp.html) and some VPN solutions are impossible to PAT(eg, Win2k l2tp/ipsec).

NB, looking at your sample layout, you only have a router between the internet and your servers - this needs to be either running firewall software or replaced with a firewall. You do not want to put servers directly on the internet without control of what traffic is able to hit them.

Given all the above, the answer to your question is lots more questions - whatever route you go down, you need to understand exactly which implementations of the server technologies you are using (MS VPN, Cisco VPN, ......., MS FTP, etc), what the limitations of those technologies are, and what ports they are configured to use.

If you can post any details, we'll try and advise.
0
 

Author Comment

by:hawkm
ID: 12175817
I think my boss will be more interested in the cheaper sollution (Only 1 Public ip address). What do you think of the setup below?


INTERNET----ADSL ROUTER---Firewall----Switch----Servers
                  (Static Public IP)  (---------Private IP-------------)


I'm not sure about the brand or type of ADSL router our company will be using.

The Firewall we are using however is a WatchGuard Firebox 700. (with 1 internal interface, 1 external interface and 1 optional interface)

I'm thinking of using the WatchGuard Firebox to establish VPN connection.

What do you think?

Thanks a lot!
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Accepted Solution

by:
swinterborn earned 50 total points
ID: 12177581
If you have access to a decent firewall, use it!

Use the optional interface on the Firebox to create a DMZ:

INTERNET---ADSL---Firewall-----LAN
                                |
                            Servers

This is a standard configuration, allowing you to place extremely restrictive rules on Internet/LAN traffic, open up pinholes for Internet/Server traffic, and pinholes for Server/LAN traffic.

As with any config like this, it will take some testing to verify exactly which ports need to be opened up between which servers for your apps - basic rule of thumb is, close everything and open up one port at a time until the app works.

For the paranoid and rich, the ideal solution would be 2 firewalls, not the same type, so if there was a flaw in one, the second would still protect the LAN:

INTERNET---ADSL---Firewall A-----Servers----Firewall B----LAN

Cheers
0
 

Author Comment

by:hawkm
ID: 12186268
Ok, i think i get u... Is this correct?

                                           (PAT & NAT enabled)
INTERNET---------ADSL----------Firewall(Private IP)-----LAN
                 (1 Static Public IP)               |           (Private IPs)
                                                      Switch
                                                          |
                                                     Servers
                                                  (Private IPs)
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12188820
Thats it
0
 

Author Comment

by:hawkm
ID: 12196041
Thank you very much u guys/gals!!! U've helped me a lot!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now