?
Solved

Firewall

Posted on 2005-03-30
14
Medium Priority
?
236 Views
Last Modified: 2013-11-16
We recently expaned our office to a second floor and I need to have those computers use the same router for internet connection. Here is the setup.

There is a Netopia router connected to a Sysmantec Gateway Firewall that is connected to a couple of switches that connects the computers. After moving the web/exchange server and some workstations to the second office, I realized that the web/exchange server had an external address and was connected directly to the router and not going through the firewall.

Dilema: The connection up from the second floor is one single link. Where do I plug the cable into? If I connect it to the switch that is behind the firewall then the web/exchange server will not be able to be utilized however the workstations will be fine because their IP addresses are subnetted in the firewall. If I connect it directly to the router then the workstations are causing collisions on the router and firewall "LAN IP x.x.x.x is SPOOFED", which is bringing my network down to a crawl.

Tidbits: All workstations(both floors) are members of same domain/LAN except web/exchange server.

What should I do?
0
Comment
Question by:yrwright
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 6

Expert Comment

by:ryandale56
ID: 13664059
first off, you should not have had that web/exchange server in front of your firewall, that's bad.  here is what you do:

run one cat5(e) cable from the switch downstairs to the switch upstairs (if possible use gigabit ports on both switches).  
assign your web/exchange server a private IP address (this should be staticly set).
on the firewall you need to alias the web/exchange server external IP address to the new staticly set private ip address (i.e. 68.6.22.22 -> 192.168.1.200)
set firewall rules to allow access to necessary ports on 192.168.1.200 from any interface (probably just 80, 443, 25, 110).

then you should be good to go.
0
 

Author Comment

by:yrwright
ID: 13664485
Tks ryandale56

I thought about doing that, but are Firewalls be able to configure 2 different WAN IP addresses for these.

Example LAN: Router(34.234.12.1) -> Firewall(Wan 34.234.12.2/Lan 123.123.123.2) -> LAN 123.123.123.xx(80,443,8443,25,110)
Example Webserver: Router(34.234.12.1) -> Web/Exchange server 34.234.12.3(80,443,25,110)

The Web/exchange server is not on our current LAN it is a seperate entity just for the webforms to be email.
I can't add that server to our domain to utilize that block of subnetted IPs.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13665481
What firewall make and model do you have?
Router?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:yrwright
ID: 13665902
Netopia Router
Symantec Gateway Security 440 Firewall

I know that it is a bad idea to have anything outside of a firewall but I am just tyring to cleaning up an inherited mess.
0
 

Author Comment

by:yrwright
ID: 13665992
If the firewall doesn't have the ability to configure and redirect 2 WAN IPs I suppose I could get an additional firewall and configure this server to hit that Firewall as the gateway so that the website would be keep the WAN IP which would actually be the firewall and the redirect would go to the server that would be subnetted(private).

What do you think?
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13665998
Do you have to have the Exchange server where you now put it?
How many servers do you have?
Do you only have one connection between the floors?  One cable?
Do you have a layer three switch?  (doubt it, but thought I'd ask)
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13666006
Hold on . . . I'm checking its capabilities.
0
 
LVL 13

Accepted Solution

by:
gpriceee earned 2000 total points
ID: 13666102
Well, that plan will work.  Usually, a firewall for this situation has a dmz, the logical place you connect servers able to be hit by the internet.
By you adding another firewall, you're creating a dmz; however, the LAN traffic needs to know how to get to the server as well.

What would work BEST is a firewall with a dmz.

Some Netopia routers are also firewalls with a built-in dmz.  Are you sure you don't have a Netopia with a built-in firewall and dmz?
If you do, you simply might have broken the connection from the exchange box to the Netopia dmz.
One note, though.  The Exchange address should be NATed to a non-routable address.
0
 

Author Comment

by:yrwright
ID: 13666197
I don't have to have the Exchange server in that location if that is what you are asking. That server only supports an external website that is form driven. On the webserver the forms are submitted to exchange that routes them to 1 mailbox which sends a copy to a helpdesk offsite.
I have 1-2003 Exchange servers and 2-2003 DC(Electra/Voyager) for my LAN. They can not in anyway be associated with this other Web/Exchange server(Xena). Which is why it is alone. The workstations on the 2nd floor are members of Electra domain.
There is only one connection/cable between the floors.
I don't have a 3rd layer switch in place but I do have a gigabit switch that I could use if needed.
0
 

Author Comment

by:yrwright
ID: 13666263
The only problem is that I am not in charge of our router. I have a block of WAN IPs I can use. The Router is handled by SpeakEasy. I am not totally familiar with setting up a DMZ, I just received this firewall about a week ago.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13666272
If you don't need the server to be in its new location, move it back.
After you're up and running--because you were this way before--and your company can continue business, check the Netopia to see if it has a dmz.

You really are just looking to get back up and running at this point.
In the future, we might examine your network diagram.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13666299
Control what you can.
Get your business up and running.
Then ask SpeakEasy if they setup a dmz.  If not, let them know you want one.
0
 

Author Comment

by:yrwright
ID: 13666423
gpricee

Ok, I will do that and continue to research the DMZ for the router.
Tks Much

yrwright
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13722190
Is this question closed?
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month12 days, 22 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question