?
Solved

Need some help with multi IP on single LAN

Posted on 2005-04-30
11
Medium Priority
?
284 Views
Last Modified: 2010-04-10
I have a DSL line with 5 static IP, going into an modem/router, the network has 12 work stations and 3 servers (2xNT4 and 1x2000srv), I cant figure out how I can run Exchange on each of the server (ES55 on the NT4 boxes and ES2000 on 2000srv each hosting a separate MX) but still have the router running DHCP so each workstation will obtain an IP automatically and able to access the servers.

How can I map 3 of the static IP to the 3 servers and then the forth one for the router's DHCP to spread to the workstations ?

If this is not the way to do it, what would be the solution ?

Thanks for any help
0
Comment
Question by:robertdims
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 1

Expert Comment

by:ender78
ID: 13902919
There are two possible solutions your ability to do what you need will depend on your hardware (most Cisco routers will allow you to do this)

- give each server a real IP without any NAT , use one IP for NAT and have users share one IP
- all servers and workstations get private IPs, the external IPs are then assigned a one to one NAT mappping while the workstations share.

Let us know what hardware you have and we can take it from there.
0
 
LVL 5

Expert Comment

by:francrl
ID: 13902923
I am a little confused by exactly what you mean here. I think what you are saying is you want to NAT (breaks one ip into multiple ips) behind the router, but your servers are also behind the router and you want them to use real ips. I am pretty sure you cant do this, but I need a little more information about what harware your using, mainly the router model. The alternative solution would to run NAT and DHCP on one of the servers instead of the router.
0
 
LVL 1

Expert Comment

by:ender78
ID: 13903380
Lets define the terms NAT and PAT (the terms get confused and abused)

NAT = One Outside IP Mapped to One Inside IP - translation is just IP to IP, no port flipping takes place
PAT = One Outside IP Mapped to Many Inside IPs - translation is done on port and internal IP

Here is how I would set things up (this is a somewhat inexpensive solution)

Plug a small switch directly into the modem, give each server a public IP (easiser than NAT),  plug a small DSL/Cable router into the same switch and give its outside interface a public IP.  All internal workstations can be given private IPs by the DSL router.

Should you need enhanced security and if you want your workstations to talk to the mail servers on a private network either get two network cards for each server or go the NAT route.  Going NAT will rasise consts significantly as having a router with multiple routed interfaces is expensive.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:ccomley
ID: 13903650
Sadly, ender78, your definition only works for Cisco kit, everyone else refers to these differetly.
0
 
LVL 17

Expert Comment

by:ccomley
ID: 13903654
Whatever your router/firewall device is will have to cope - you chose not to tell us what that is so we can only give you generic hints. :-)

But you need to set up your NAT maping something like this. Assuming your "public" IP range is 212.123.123.0 through 8

212.123.123.1 - your router
212.123.123.2 - one-to-one - First server (say - 192.168.1.100)
212.123.123.3 - one-to-one - Second server (say - 192.168.1.101)
212.123.123.4 - one-to-one - Third server (say - 192.168.1.102)
212.123.123.5 - one-to-many - DHCP scope (say - 192.168.1.30-99)

0
 
LVL 4

Author Comment

by:robertdims
ID: 13903789
Hi
Many thanks for the replies, I think ccomley's theory/method is just what I have in mind on how to make the setup work, the router I have for this setup is an Safecom SWAMRU-54108 type model ADSL Modem Router with PS and Wireless, I got 4 of these as they were very cheap at the time when I needed ones with VPN tunnels for testing.

I also have a Edimax ADSL router.

The IPs coming in are ( some digits changed for ID privacy)

 Number of IP addresses: 8
 IP addresses: 82.70.200.8 - 82.70.200.15
 Subnet mask: 255.255.255.248
 Subnet in slash notation: 82.70.200.8 /29
 Network address: 82.70.200.8
 Broadcast address: 82.70.200.15
 Router address: 82.70.200.14
 Number of IP addresses usable by your hosts: 5

Thanks again for all your help.

0
 
LVL 10

Expert Comment

by:snerkel
ID: 13903878
Have you tried the Safecom support forum, this thread covers using multiple routable IPs http://adsltech.com/portal/forum/forum_posts.asp?TID=1759&PN=1&TPN=17

Maybe asking a question on that forum will get you specific help with this.
0
 
LVL 6

Expert Comment

by:BILJAX
ID: 13904204
the one to one NAT is the way to go.


However, if you don't want all the servers to be public to the internet(DC shouldn't be publicised), Exchannge should be 1to1NAT, the Web/whateverserver should be 1to1nNAT.  However, after reading your original post (which I should have to begin with), you just need to setup the onetoone nat for the three IPS and you really don't need to setup a public IP for the workstations, just let them get DCHP from behind the router/firewall.



AC
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 1500 total points
ID: 13908170
I've read this whole thread looking for someone to mention firewall.  Finally, Biljax did.

Yes, a firewall is what you need.

Your public IP's should sit in a DMZ network and your inside machines in another.  So, a 3 port Ethernet firewall at a minimum.

I would put the machines you want accessible in a DMZ and do a STATIC NAT to them so that your public IP 82.x.x.10 = 10.0.1.10 (for instance).  In your firewall rules, you allow the Internet to access this network with whichever port/service you want to advertise, but ONLY those ports you want to allow.  The machines in your DMZ need to be "locked down" so that ONLY the services you need are running, they don't contain ANY other sensitve data, and they're well maintained with OS and App service packs and patches.

In your private space, you can use NAT/PAT One to Many translation so that only one of your IP's becomes the rest of your private network.  So, 82.x.x.14 = 192.168.1.0/24 for instance.

Then your firewall is configured to drop all incoming spoofed IP's which are private coming from the Internet, so you would DROP ALL INBOUND 10.x.x.x or 192.168.x.x or 172.16.x.x traffic.  Your firewall would have a rule which would allow inside network 192.168.1.0/24 to communicate with DMZ network 10.0.1.0/24 network with full communication, and limited comm from your DMZ back into your internal network.

You can take your pick of firewalls to do this, ranging from free (Linux IP tables machine) up to a Sonicwall, PIX, or Checkpoint.

Hope this helps.
0
 
LVL 10

Expert Comment

by:snerkel
ID: 14304568
I believe the OP got his answer from the site I posted a link for see http://adsltech.com/portal/forum/forum_posts.asp?TID=3326&KW=snerkel
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question