[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 243
  • Last Modified:

Firewall

We recently expaned our office to a second floor and I need to have those computers use the same router for internet connection. Here is the setup.

There is a Netopia router connected to a Sysmantec Gateway Firewall that is connected to a couple of switches that connects the computers. After moving the web/exchange server and some workstations to the second office, I realized that the web/exchange server had an external address and was connected directly to the router and not going through the firewall.

Dilema: The connection up from the second floor is one single link. Where do I plug the cable into? If I connect it to the switch that is behind the firewall then the web/exchange server will not be able to be utilized however the workstations will be fine because their IP addresses are subnetted in the firewall. If I connect it directly to the router then the workstations are causing collisions on the router and firewall "LAN IP x.x.x.x is SPOOFED", which is bringing my network down to a crawl.

Tidbits: All workstations(both floors) are members of same domain/LAN except web/exchange server.

What should I do?
0
yrwright
Asked:
yrwright
  • 7
  • 6
1 Solution
 
ryandale56Commented:
first off, you should not have had that web/exchange server in front of your firewall, that's bad.  here is what you do:

run one cat5(e) cable from the switch downstairs to the switch upstairs (if possible use gigabit ports on both switches).  
assign your web/exchange server a private IP address (this should be staticly set).
on the firewall you need to alias the web/exchange server external IP address to the new staticly set private ip address (i.e. 68.6.22.22 -> 192.168.1.200)
set firewall rules to allow access to necessary ports on 192.168.1.200 from any interface (probably just 80, 443, 25, 110).

then you should be good to go.
0
 
yrwrightAuthor Commented:
Tks ryandale56

I thought about doing that, but are Firewalls be able to configure 2 different WAN IP addresses for these.

Example LAN: Router(34.234.12.1) -> Firewall(Wan 34.234.12.2/Lan 123.123.123.2) -> LAN 123.123.123.xx(80,443,8443,25,110)
Example Webserver: Router(34.234.12.1) -> Web/Exchange server 34.234.12.3(80,443,25,110)

The Web/exchange server is not on our current LAN it is a seperate entity just for the webforms to be email.
I can't add that server to our domain to utilize that block of subnetted IPs.
0
 
gpriceeeCommented:
What firewall make and model do you have?
Router?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
yrwrightAuthor Commented:
Netopia Router
Symantec Gateway Security 440 Firewall

I know that it is a bad idea to have anything outside of a firewall but I am just tyring to cleaning up an inherited mess.
0
 
yrwrightAuthor Commented:
If the firewall doesn't have the ability to configure and redirect 2 WAN IPs I suppose I could get an additional firewall and configure this server to hit that Firewall as the gateway so that the website would be keep the WAN IP which would actually be the firewall and the redirect would go to the server that would be subnetted(private).

What do you think?
0
 
gpriceeeCommented:
Do you have to have the Exchange server where you now put it?
How many servers do you have?
Do you only have one connection between the floors?  One cable?
Do you have a layer three switch?  (doubt it, but thought I'd ask)
0
 
gpriceeeCommented:
Hold on . . . I'm checking its capabilities.
0
 
gpriceeeCommented:
Well, that plan will work.  Usually, a firewall for this situation has a dmz, the logical place you connect servers able to be hit by the internet.
By you adding another firewall, you're creating a dmz; however, the LAN traffic needs to know how to get to the server as well.

What would work BEST is a firewall with a dmz.

Some Netopia routers are also firewalls with a built-in dmz.  Are you sure you don't have a Netopia with a built-in firewall and dmz?
If you do, you simply might have broken the connection from the exchange box to the Netopia dmz.
One note, though.  The Exchange address should be NATed to a non-routable address.
0
 
yrwrightAuthor Commented:
I don't have to have the Exchange server in that location if that is what you are asking. That server only supports an external website that is form driven. On the webserver the forms are submitted to exchange that routes them to 1 mailbox which sends a copy to a helpdesk offsite.
I have 1-2003 Exchange servers and 2-2003 DC(Electra/Voyager) for my LAN. They can not in anyway be associated with this other Web/Exchange server(Xena). Which is why it is alone. The workstations on the 2nd floor are members of Electra domain.
There is only one connection/cable between the floors.
I don't have a 3rd layer switch in place but I do have a gigabit switch that I could use if needed.
0
 
yrwrightAuthor Commented:
The only problem is that I am not in charge of our router. I have a block of WAN IPs I can use. The Router is handled by SpeakEasy. I am not totally familiar with setting up a DMZ, I just received this firewall about a week ago.
0
 
gpriceeeCommented:
If you don't need the server to be in its new location, move it back.
After you're up and running--because you were this way before--and your company can continue business, check the Netopia to see if it has a dmz.

You really are just looking to get back up and running at this point.
In the future, we might examine your network diagram.
0
 
gpriceeeCommented:
Control what you can.
Get your business up and running.
Then ask SpeakEasy if they setup a dmz.  If not, let them know you want one.
0
 
yrwrightAuthor Commented:
gpricee

Ok, I will do that and continue to research the DMZ for the router.
Tks Much

yrwright
0
 
gpriceeeCommented:
Is this question closed?
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now