CaussyR
asked on
Networking a small office from ADSL to a firewall then to MPLS network ?
I'm not a network guru, hence my reason for my question. I have an ADSL line into our offices connecting to a Lingsys ADSL router (IP : 80.235.213.220) which I will connect to a WatchGuard X500 firewall. Do I NAT at the ADSL router to an internal IP address ? My internal IP range are 172.22.23.xx. Also on the WatchGuard there will be an MPLS network, see attached diagram. What I don't want to happen is to NAT to an internal network address which will then connect to the firewall and anyone coming through the firewall can go directly on to the MPLS, creating a bridge. Can anyone advise me on how to make this secure ?
ADSL.jpg
ADSL.jpg
I would suggest:
Do not configure your router to do NAT. Leave that task to your firewall.
In fact, I belive your firewall can perform just fine as a router. I would connect it directly to your internet connection, and remove your router.
Do you have incoming MPLS traffic from the internet? If not, then nothing to worry about, you dont need to open a hole in the firewall.
Incomming traffic: if you have need for incomming traffic (originating on the internet), you will need to open a hole in your firewall for that- proably using "port forwarding".
Do not configure your router to do NAT. Leave that task to your firewall.
In fact, I belive your firewall can perform just fine as a router. I would connect it directly to your internet connection, and remove your router.
Do you have incoming MPLS traffic from the internet? If not, then nothing to worry about, you dont need to open a hole in the firewall.
Incomming traffic: if you have need for incomming traffic (originating on the internet), you will need to open a hole in your firewall for that- proably using "port forwarding".
ASKER
Thank you both for your ideas.
Unfortunately, the WatchGuard X500 does not support ADSL directly, therefore that why I have had to purchase a Linksys WRT54G2 to connect the imcoming ADSL line to it and then to the firewall.
From what I can gather, the internet traffic will be coming on on IP : 80.235.213.xx. The Linksys has 4 other ethernet ports. One port on the the LinkSys will be connected to the firewall. Port 1 on the firewall will be on IP : 172.21.5.3. How does the ADSL router connects to the firewall IP address of 172.21.5.3 ? I though I might need Natting configured to make sure that the firewall and the router were on the same subnet, or am I very wrong.
Port 2 on the firewall would be connected to the office on 172.22.23.xx using the firewall address of 172.21.5.3 as a gateway.
Port 3 ont the firewall will be connected to the MPLS on a 172.22.23.xx address but a rule on the firewall will only allow the range of office IP addresses through to the MPLS.
Is this the right train of thought ?
Unfortunately, the WatchGuard X500 does not support ADSL directly, therefore that why I have had to purchase a Linksys WRT54G2 to connect the imcoming ADSL line to it and then to the firewall.
From what I can gather, the internet traffic will be coming on on IP : 80.235.213.xx. The Linksys has 4 other ethernet ports. One port on the the LinkSys will be connected to the firewall. Port 1 on the firewall will be on IP : 172.21.5.3. How does the ADSL router connects to the firewall IP address of 172.21.5.3 ? I though I might need Natting configured to make sure that the firewall and the router were on the same subnet, or am I very wrong.
Port 2 on the firewall would be connected to the office on 172.22.23.xx using the firewall address of 172.21.5.3 as a gateway.
Port 3 ont the firewall will be connected to the MPLS on a 172.22.23.xx address but a rule on the firewall will only allow the range of office IP addresses through to the MPLS.
Is this the right train of thought ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you do not wish to do this and plan to deploy firewall in drop-in mode then that is a good configuration as well; and you need not terminate public IP on WAN interface in that case.
I am assuming that MPLS and the other internal network would be terminating on different physical ports on firewall; if this is the case, then the traffic from one port to another would be allowed/denied based on the policy you configure. So, you can decide on the level of access.
Thank you.