[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

Creating 2 Separate Networks With 1 Internet Line

Few months ago I assisted in setting up a small company with a network. Here are the details:

Internet -> T1 -> Pix 506E -> Catalyst 2950 -> Exchange Server / PCs

No fancy setup on the PIX, just rules to allow internet access and exchange server to run smoothly with OWA. Review my previous question : http://www.experts-exchange.com/Security/Firewalls/Q_21746285.html for more information.

Another company is in the process of being setup in the same office. We would like to split the existing T1 Internet Access across 2 networks. At no time should Network 1 have access to Network 2 and vice versa. This I'm sure can be done by adding a router and another switch into the mix. However there are a few issues I'm not sure of. Each company requires its own Exchange Server. Right now we have a single IP address from a default block from the ISP. I am currently in the process of filling out the allocation form form a larger block. If the below proposed config is acceptable how do I configure the PIX and Router for the Exchange Servers where each requires SMTP as well as OWA via SSL. Also, what router would be recommended for this scenario. I would prefer to keep a uniform Cisco network.

Proposed Scenario :

                                                         Catalyst 2950 -> Exchange Server / PCs (Currently 192.168.1.1 DHCP)
                                                       /
Internet -> T1 -> PIX 506E -> Router
                                                       \
                                                         Catalyst 2950 -> Exchange Server / PCs (Proposed 192.168.20.1 DHCP)


The new company will be up and running from Monday and as such I need to have this information and need to start making purchases ASAP.

Thank you.
0
Eros18
Asked:
Eros18
  • 6
  • 4
  • 3
  • +1
1 Solution
 
RPPreacherCommented:
Use the 506E DMZ interface for the second network.

The exchange issue will be a problem.  I would host their mail at another site until you can expand the IP range and then add the Exchange server.
0
 
RPPreacherCommented:
Ooop... thinking of 515E.  No DMZ on 506E...

Your config would work; however, the exchange server is still an issue.
0
 
Eros18Author Commented:
Thanks for your reply RPPreacher.

As I said I'm currently in the process of obtaining a larger IP block, possibly 14 IPs from my ISP. This is a fact finding mission as of right now though it is an urgent matter. Any information in this regard is needed.

Thank you.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
RPPreacherCommented:
Host the email with any one of 10,000 email hosting services until your IP ranging is increased.

http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=email+hosting&btnG=Google+Search
0
 
prashsaxCommented:
After you get 14 Public IP's their will be no issues.

You can create a new Zone on PIX(Just like DMZ) and can NAT their private LAN with few of the newly acquired public IP addreses.

As, for network A & B access to each other, that can be controlled easily on PIX by ACL.

Publishing Exchange won't be a problem, all you need to do is to do a static NAT for both exchanges.

Create two pools of Public IPs.
Let you have 15 public IP address.

One Public IP will be assigned to PIX outside interface.

Create a Pool of 6 IP address for Network A. 7th IP would be static NAT for Exchange
Similary for Network B, create a pool of 6 IP for dynamic NAT and one for static NAT for Exchange.

If you need to publish any other server, you can use PAT for internet access instead of NAT.

With PAT you can save 6 IP address per network.

Just, ask the customer about their internet needs and create IP pools accordingly. (If one company require more Address then other).

Just keep in mind, you can reassign Public IPs to any network later on, but IP for exchange cannot be assigned that easily, as they would be pointing to a MX record.

0
 
Eros18Author Commented:
Okay.

Lets say I already have my additional IP addresses. What router should I purchase ? What configuration changes are required on the PIX 506E ? Should I DHCP from PIX or Router or Switches or go Static ? If static what range would be suitable ? etc... These are really what I want to know.

Thank you.
0
 
lukecaCommented:
I might be wrong but the PIX is not a t1 endpoint right?  There is some sort of thing giving you an rj45 off the t1, like an adtran?  If there is you just need to plug a switch into that, then get another pix or whatever for the other network and put one of your 14 new ip's on the other router.  Leave your first network alone.

So it would be


                                             PIX 506E -> Catalyst 2950 -> Exchange Server / PCs (Currently 192.168.1.1 DHCP)
                                          /
Internet -> T1 -> Switch ->                  
                                          \
                                             New PIX 506E -> Catalyst 2950 -> Exchange Server / PCs (Proposed 192.168.20.1 DHCP)
0
 
Eros18Author Commented:
prashsax , I think thats what I was looking for. Recommendations on a suitable Cisco router ? Something cost effective of course :)

Thanks.
0
 
Eros18Author Commented:
lukeca, handoff to the PIX is a RJ45 coming from my providers router in our building. Actually its a Fiber to our floor to transciever to ethernet.
0
 
lukecaCommented:
So I don't know why you would try to do all that isp routing yourself, your isp does it already, just put a switch off the isp's router and hook two pix into it.
0
 
Eros18Author Commented:
lukeca

I didn't pay enough attention to your initial suggestion as my mindset was geared on routing. Your proposal would basically mirror my existing setup and would require just the purchase of 2 switches and another PIX firewall and essentially let the ISP do the routing. Since the setup of network and servers would be similar I would also need only copy my existing PIX config to the new PIX with minor changes to IPs. Which would also let me utilize my IPs more freely.

Excellent !

Does anyone forsee any issues with this setup ? (Refer to lukeca 6/10/2006 7:37AM Post)

Thanks,
Eros18
0
 
prashsaxCommented:
I don't see any need to buy a new pix.

If both offices need to control their internet access, then maybe its a good idea.

But, if only one IT person/Team is going to manage it, you can easily do with just a DMZ card for your existing pix.

If you really need to purchase anything, then it would be some sort of Bandwidth controller.

Since both companies will share same Internet connection, you need to see if one company is not using most of the bandwith and other company can't even send their mails.

Suppose, if an employee in one company started a huge download, it will eat up all the bandwith, and second company will suffer.

If you can afford, buy a Packetshaper(From Packeteer). Its an excellent device to divide your bandwith.

I think your companies will require some kind of guaranteed bandwidth.

I have no other advise other than this.
0
 
lukecaCommented:
Eros18, that's correct.  I'm only suggesting it this way as we have done it already with a couple of our clients, who sublease to other people.  The two firewalls keep the networks totally seperate, unless you set up some sort of routing in between the two PIX's.  You could even run both networks on 192.168.1.1 if you wanted to, but I wouldn't do that if you have even remote plans of ever setting up routing between the two networks.
0
 
lukecaCommented:
Actually to keep things more organized I would not use 192.168.1.1 on both no matter what, I retract that comment :)
0
 
Eros18Author Commented:
lukeca I decided to go with your recommendations. Only bothersome task was having the ISP move the new gateway interface from my existing public IP back down to their router. Reluctantly they did it, not sure why it was such a big deal. On an even more positive note this new setup will be relocated in the near future to a new office to accommodate additional users which will be ALOT less work or me in the initial setup.

Thanks again !
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now