hawkm
asked on
Registered IP addressing
Hi there,
My company wants to establish a VPN link, hosts its own web server, email server and ftp server (Each on a different machine). I'm a little unsure of the required number of registered (static) IP needed & how to set it up.
1. Can I only use ONE registered (static) IP address on a DNS server. This DNS server will then route the message to the other server (ftp, web and email server) using private IP address. See the following:
INTERNET---router----DNS--
(Registered IP 1) (Private IP address..................)
2. Or do i need to have a Registered Public IP address for each of my web, email, and ftp server. See the following:
INTERNET-------router ------Web server (Registered IP 1)
------Email server (Registered IP 2)
------ftp server (Registered IP 3)
------Firewall ---------LAN
(Registered IP 4) (Private Address)
3. Or is there a better way to do this?
Pls clarify and thank you very much.
Confused,
hawkm
My company wants to establish a VPN link, hosts its own web server, email server and ftp server (Each on a different machine). I'm a little unsure of the required number of registered (static) IP needed & how to set it up.
1. Can I only use ONE registered (static) IP address on a DNS server. This DNS server will then route the message to the other server (ftp, web and email server) using private IP address. See the following:
INTERNET---router----DNS--
(Registered IP 1) (Private IP address..................)
2. Or do i need to have a Registered Public IP address for each of my web, email, and ftp server. See the following:
INTERNET-------router ------Web server (Registered IP 1)
------Email server (Registered IP 2)
------ftp server (Registered IP 3)
------Firewall ---------LAN
(Registered IP 4) (Private Address)
3. Or is there a better way to do this?
Pls clarify and thank you very much.
Confused,
hawkm
You've got 2 basic scenarios:
1) Get a single public IP address, and use PAT as cagri says to map port numbers on the router to services behind the firewall.
2) Get multiple public IP addresses, one for each server.
How you do it is up to you: scenario 1 is cheaper (single public IP) and more secure (none of your servers are directly exposed) but more complex to set up. Scenario 2 is more expensive (more IP's) less secure (servers are directly exposed) but easier to set up.
In addition, some of these services are not necessarily that easy to PAT, FTP can use a number of different ports (see http://slacksite.com/other/ftp.html) and some VPN solutions are impossible to PAT(eg, Win2k l2tp/ipsec).
NB, looking at your sample layout, you only have a router between the internet and your servers - this needs to be either running firewall software or replaced with a firewall. You do not want to put servers directly on the internet without control of what traffic is able to hit them.
Given all the above, the answer to your question is lots more questions - whatever route you go down, you need to understand exactly which implementations of the server technologies you are using (MS VPN, Cisco VPN, ......., MS FTP, etc), what the limitations of those technologies are, and what ports they are configured to use.
If you can post any details, we'll try and advise.
1) Get a single public IP address, and use PAT as cagri says to map port numbers on the router to services behind the firewall.
2) Get multiple public IP addresses, one for each server.
How you do it is up to you: scenario 1 is cheaper (single public IP) and more secure (none of your servers are directly exposed) but more complex to set up. Scenario 2 is more expensive (more IP's) less secure (servers are directly exposed) but easier to set up.
In addition, some of these services are not necessarily that easy to PAT, FTP can use a number of different ports (see http://slacksite.com/other/ftp.html) and some VPN solutions are impossible to PAT(eg, Win2k l2tp/ipsec).
NB, looking at your sample layout, you only have a router between the internet and your servers - this needs to be either running firewall software or replaced with a firewall. You do not want to put servers directly on the internet without control of what traffic is able to hit them.
Given all the above, the answer to your question is lots more questions - whatever route you go down, you need to understand exactly which implementations of the server technologies you are using (MS VPN, Cisco VPN, ......., MS FTP, etc), what the limitations of those technologies are, and what ports they are configured to use.
If you can post any details, we'll try and advise.
ASKER
I think my boss will be more interested in the cheaper sollution (Only 1 Public ip address). What do you think of the setup below?
INTERNET----ADSL ROUTER---Firewall----Switc
(Static Public IP) (---------Private IP-------------)
I'm not sure about the brand or type of ADSL router our company will be using.
The Firewall we are using however is a WatchGuard Firebox 700. (with 1 internal interface, 1 external interface and 1 optional interface)
I'm thinking of using the WatchGuard Firebox to establish VPN connection.
What do you think?
Thanks a lot!
INTERNET----ADSL ROUTER---Firewall----Switc
(Static Public IP) (---------Private IP-------------)
I'm not sure about the brand or type of ADSL router our company will be using.
The Firewall we are using however is a WatchGuard Firebox 700. (with 1 internal interface, 1 external interface and 1 optional interface)
I'm thinking of using the WatchGuard Firebox to establish VPN connection.
What do you think?
Thanks a lot!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, i think i get u... Is this correct?
(PAT & NAT enabled)
INTERNET---------ADSL-----
(1 Static Public IP) | (Private IPs)
Switch
|
Servers
(Private IPs)
(PAT & NAT enabled)
INTERNET---------ADSL-----
(1 Static Public IP) | (Private IPs)
Switch
|
Servers
(Private IPs)
Thats it
ASKER
Thank you very much u guys/gals!!! U've helped me a lot!
1. DNS does not do the routing you are looking for, this conversion is called as NAT (network address translation) or a special form of it, PAT (port address translation) and performed by routers and firewalls. Almost all of the routers support this features, so you may use the existing router for the purpose.
What is to be done is to put static translation statements on the router like
static.ip port 80 maps to internal1.myorg.com port:80
static.ip port 23 maps to internal2.myorg.com port:21
static.ip port 25 maps to internal3.myorg.com port:25
and so on, so the router looks at the TCP/UDP port and forwards the packets to the appropirate server in the inside.
If you have enought number of external,static addresses, it is better to assign on for each of the important servers since it gives you much more flexibility.
Hope this helps,