?
Solved

Networking a small office from ADSL to a firewall then to MPLS network ?

Posted on 2009-04-26
4
Medium Priority
?
1,240 Views
Last Modified: 2012-05-06
I'm not a network guru, hence my reason for my question.  I have an ADSL line into our offices connecting to a Lingsys ADSL router (IP : 80.235.213.220) which I will connect to a WatchGuard X500 firewall. Do I NAT at the ADSL router to an internal IP address ? My internal IP range are 172.22.23.xx. Also on the WatchGuard there will be an MPLS network, see attached diagram. What I don't want to happen is to NAT to an internal network address which will then connect to the firewall and anyone coming through the firewall can go directly on to the MPLS, creating a bridge. Can anyone advise me on how to make this secure ?
ADSL.jpg
0
Comment
Question by:CaussyR
  • 2
4 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24236816
I would suggest you to terminate the public IP address at X550 untrust (or WAN) interface; put the modem in bridge mode.
If you do not wish to do this and plan to deploy firewall in drop-in mode then that is a good configuration as well; and you need not terminate public IP on WAN interface in that case.

I am assuming that MPLS and the other internal network would be terminating on different physical ports on firewall; if this is the case, then the traffic from one port to another would be allowed/denied based on the policy you configure. So, you can decide on the level of access.

Thank you.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 24236836
I would suggest:

Do not configure your router to do NAT.  Leave that task to your firewall.  
In fact, I belive your firewall can perform just fine as a router.  I would connect it directly to your internet connection, and remove your router.

Do you have incoming MPLS traffic from the internet?  If not, then nothing to worry about, you dont need to open a hole in the firewall.

Incomming traffic:  if you have need for incomming traffic (originating on the internet), you will need to open a hole in your firewall for that- proably using "port forwarding".

0
 

Author Comment

by:CaussyR
ID: 24236965
Thank you both for your ideas.

Unfortunately, the WatchGuard X500 does not support ADSL directly, therefore that why I have had to purchase a Linksys WRT54G2 to connect the imcoming ADSL line to it and then to the firewall.

From what I can gather, the internet traffic will be coming on on IP : 80.235.213.xx.  The Linksys has 4 other ethernet ports.  One port on the the LinkSys will be connected to the firewall.  Port 1 on the firewall will be on IP : 172.21.5.3. How does the ADSL router connects to the firewall IP address of 172.21.5.3 ? I though I might need Natting configured to make sure that the firewall and the router were on the same subnet, or am I very wrong.

Port 2 on the firewall would be connected to the office on 172.22.23.xx using the firewall address of 172.21.5.3 as a gateway.  

Port 3 ont the firewall will be connected to the MPLS on a 172.22.23.xx address but a rule on the firewall will only allow the range of office IP addresses through to the MPLS.

Is this the right train of thought ?
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1500 total points
ID: 24240879
If possible configure Linksys in bridge mode; or if possible get some cheap modem which can do ADSL to ethernet conversion and then get public IP on the WAN interface of x550e.

One thing which I am confused is:
>> Port 2 on the firewall would be connected to the office on 172.22.23.xx using the firewall address of 172.21.5.3 as a gateway.  

>> Port 3 ont the firewall will be connected to the MPLS on a 172.22.23.xx address but a rule on the firewall will only allow the range of office IP addresses through to the MPLS.

You cannot have two ports of the firewall in the same IP subnet; may be this is a typo; if so then the settings look fine.

Thank you.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question