Registered IP addressing

Hi there,

My company wants to establish a VPN link, hosts its own web server, email server and ftp server (Each on a different machine). I'm a little unsure of the required number of registered (static) IP needed & how to set it up.

1. Can I only use ONE registered (static) IP address on a DNS server. This DNS server will then route the message to the other server (ftp, web and email server) using private IP address. See the following:


INTERNET---router----DNS----Firewall----Switch---other server
             (Registered IP 1)      (Private IP address..................)


2. Or do i need to have a Registered Public IP address for each of my web, email, and ftp server. See the following:


INTERNET-------router ------Web server  (Registered IP 1)
                                 ------Email server (Registered IP 2)
                                 ------ftp server     (Registered IP 3)
                                 ------Firewall ---------LAN
                                  (Registered IP 4)   (Private Address)
 
3. Or is there a better way to do this?

Pls clarify and thank you very much.

Confused,
hawkm
hawkmAsked:
Who is Participating?
 
swinterbornConnect With a Mentor Commented:
If you have access to a decent firewall, use it!

Use the optional interface on the Firebox to create a DMZ:

INTERNET---ADSL---Firewall-----LAN
                                |
                            Servers

This is a standard configuration, allowing you to place extremely restrictive rules on Internet/LAN traffic, open up pinholes for Internet/Server traffic, and pinholes for Server/LAN traffic.

As with any config like this, it will take some testing to verify exactly which ports need to be opened up between which servers for your apps - basic rule of thumb is, close everything and open up one port at a time until the app works.

For the paranoid and rich, the ideal solution would be 2 firewalls, not the same type, so if there was a flaw in one, the second would still protect the LAN:

INTERNET---ADSL---Firewall A-----Servers----Firewall B----LAN

Cheers
0
 
cagriCommented:
Things seem a bit confused;

1. DNS does not do the routing you are looking for, this conversion is called as NAT (network address translation) or a special form of it, PAT (port address translation) and performed by routers and firewalls. Almost all of the routers support this features, so you may use the existing router for the purpose.

What is to be done is to put static translation statements on the router like

static.ip port 80 maps to internal1.myorg.com port:80
static.ip port 23 maps to internal2.myorg.com port:21
static.ip port 25 maps to internal3.myorg.com port:25

and so on, so the router looks at the TCP/UDP port and forwards the packets to the appropirate server in the inside.

If you have enought number of external,static addresses, it is better to assign on for each of the important servers since it gives you much more flexibility.

Hope this helps,
0
 
swinterbornCommented:
You've got 2 basic scenarios:

1) Get a single public IP address, and use PAT as cagri says to map port numbers on the router to services behind the firewall.
2) Get multiple public IP addresses, one for each server.

How you do it is up to you: scenario 1 is cheaper (single public IP) and more secure (none of your servers are directly exposed) but more complex to set up. Scenario 2 is more expensive (more IP's) less secure (servers are directly exposed) but easier to set up.

In addition, some of these services are not necessarily that easy to PAT, FTP can use a number of different ports (see http://slacksite.com/other/ftp.html) and some VPN solutions are impossible to PAT(eg, Win2k l2tp/ipsec).

NB, looking at your sample layout, you only have a router between the internet and your servers - this needs to be either running firewall software or replaced with a firewall. You do not want to put servers directly on the internet without control of what traffic is able to hit them.

Given all the above, the answer to your question is lots more questions - whatever route you go down, you need to understand exactly which implementations of the server technologies you are using (MS VPN, Cisco VPN, ......., MS FTP, etc), what the limitations of those technologies are, and what ports they are configured to use.

If you can post any details, we'll try and advise.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
hawkmAuthor Commented:
I think my boss will be more interested in the cheaper sollution (Only 1 Public ip address). What do you think of the setup below?


INTERNET----ADSL ROUTER---Firewall----Switch----Servers
                  (Static Public IP)  (---------Private IP-------------)


I'm not sure about the brand or type of ADSL router our company will be using.

The Firewall we are using however is a WatchGuard Firebox 700. (with 1 internal interface, 1 external interface and 1 optional interface)

I'm thinking of using the WatchGuard Firebox to establish VPN connection.

What do you think?

Thanks a lot!
0
 
hawkmAuthor Commented:
Ok, i think i get u... Is this correct?

                                           (PAT & NAT enabled)
INTERNET---------ADSL----------Firewall(Private IP)-----LAN
                 (1 Static Public IP)               |           (Private IPs)
                                                      Switch
                                                          |
                                                     Servers
                                                  (Private IPs)
0
 
swinterbornCommented:
Thats it
0
 
hawkmAuthor Commented:
Thank you very much u guys/gals!!! U've helped me a lot!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.