Assistance with setting up network with firewall

Dear Experts,

I am designing a network and have the following hardware to work with:

1 x Netscreen 25 Firewall
2 x Cisco 1900 Switches
1 x Cisco Router with SDSL WIC

The requirements are:

- 5 servers (need to be accessed externally)
- 10 internal hosts
- I also need to terminate an IPSec tunnel

Could you suggest an addressing scheme for these and suggest how to split them up...

For example, do I put the servers in a DMZ?

Any help would be greatly appreciated.


Who is Participating?
ccreamer_22Connect With a Mentor Commented:
use the 10.x.x.x/8 network for your trusted side.
I suggest not going over a /24 bit mask for each vlan.
use the for your dmz addresses.
put the netscreen in nat mode (should be by default) so that when it goes out, it is seen as your untrust interface.
put your web server, ftp, and an owa box with some kind of mail virus scanning software and spam blocking software in your dmz
put your exchange box in your trust zone along with your domain controller and any other internal service such as VoIP, etc.
put your switches into a stack and configure 4-6 ports (however many you need for DMZ servers)  as a sperate vlan that does not have access to the rest of your vlans. This will be your dmz vlan.
The only thing that I can think of that you would want to use both ethernet cards for your setup is possibly a RRAS server for VPN access. set one card up in the dmz and allow pptp and gre to that server only. Set the other card up in your trust zone and set up dhcp for the vpn's on your DC. Other than that, I would only set up a computer on the network with 2 nic cards for intrusion detection, like snort. Other than that, 2 nic cards for the same machine can make administration very rough. Try to keep it as simple a plan as possible. Map out and document everything.
If I were laying out this network, I'd use two internal networks - one INSIDE and one DMZ. For clarity of troubleshooting I like to clearly identify my DMZ, so I'd use something like /24 ( for the DMZ and maybe /24 for my INSIDE network. This gives you lots of room for growth on either network and will make troubleshooting easier, since you immediately know if it's a 192.168 IP it'll be a DMZ address and a 172.20.x.x will be INSIDE.
stsonlineConnect With a Mentor Commented:
BTW, your available IP addresses are referenced in RFC1918 - it gives you the private IP ranges that are authorized for internal networks... 10.x.x.x /8, thru, and 192.168.x.x.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

nkewneyAuthor Commented:
Thanks stsonline...

In terms of the servers... I want to be able to have my internal clients connect to the domain and have them accessible outside also with external IPs.

How would you approach this (the servers have two network cards)


nkewneyAuthor Commented:
Thanks stsonline

Yes I'd like to have the internal clients use the servers as domain controllers. Should I put everything in local?

Put your domain controllers on the local (INSIDE) network. Only servers providing Internet-accessible services (like HTTP, FTP, email) need to reside on the DMZ segment.

Are you planning to give each internal system an external IP address? Unless this is absolutely necessary for an application or service, why not "hide" all your internal clients behind a single external IP? It's a lot safer and preserves your external IPs for systems and services that require them.
nkewneyAuthor Commented:
Great help. Thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.