Networking a small office from ADSL to a firewall then to MPLS network ?

I'm not a network guru, hence my reason for my question.  I have an ADSL line into our offices connecting to a Lingsys ADSL router (IP : 80.235.213.220) which I will connect to a WatchGuard X500 firewall. Do I NAT at the ADSL router to an internal IP address ? My internal IP range are 172.22.23.xx. Also on the WatchGuard there will be an MPLS network, see attached diagram. What I don't want to happen is to NAT to an internal network address which will then connect to the firewall and anyone coming through the firewall can go directly on to the MPLS, creating a bridge. Can anyone advise me on how to make this secure ?
ADSL.jpg
CaussyRAsked:
Who is Participating?
 
dpk_walCommented:
If possible configure Linksys in bridge mode; or if possible get some cheap modem which can do ADSL to ethernet conversion and then get public IP on the WAN interface of x550e.

One thing which I am confused is:
>> Port 2 on the firewall would be connected to the office on 172.22.23.xx using the firewall address of 172.21.5.3 as a gateway.  

>> Port 3 ont the firewall will be connected to the MPLS on a 172.22.23.xx address but a rule on the firewall will only allow the range of office IP addresses through to the MPLS.

You cannot have two ports of the firewall in the same IP subnet; may be this is a typo; if so then the settings look fine.

Thank you.
0
 
dpk_walCommented:
I would suggest you to terminate the public IP address at X550 untrust (or WAN) interface; put the modem in bridge mode.
If you do not wish to do this and plan to deploy firewall in drop-in mode then that is a good configuration as well; and you need not terminate public IP on WAN interface in that case.

I am assuming that MPLS and the other internal network would be terminating on different physical ports on firewall; if this is the case, then the traffic from one port to another would be allowed/denied based on the policy you configure. So, you can decide on the level of access.

Thank you.
0
 
KorbusCommented:
I would suggest:

Do not configure your router to do NAT.  Leave that task to your firewall.  
In fact, I belive your firewall can perform just fine as a router.  I would connect it directly to your internet connection, and remove your router.

Do you have incoming MPLS traffic from the internet?  If not, then nothing to worry about, you dont need to open a hole in the firewall.

Incomming traffic:  if you have need for incomming traffic (originating on the internet), you will need to open a hole in your firewall for that- proably using "port forwarding".

0
 
CaussyRAuthor Commented:
Thank you both for your ideas.

Unfortunately, the WatchGuard X500 does not support ADSL directly, therefore that why I have had to purchase a Linksys WRT54G2 to connect the imcoming ADSL line to it and then to the firewall.

From what I can gather, the internet traffic will be coming on on IP : 80.235.213.xx.  The Linksys has 4 other ethernet ports.  One port on the the LinkSys will be connected to the firewall.  Port 1 on the firewall will be on IP : 172.21.5.3. How does the ADSL router connects to the firewall IP address of 172.21.5.3 ? I though I might need Natting configured to make sure that the firewall and the router were on the same subnet, or am I very wrong.

Port 2 on the firewall would be connected to the office on 172.22.23.xx using the firewall address of 172.21.5.3 as a gateway.  

Port 3 ont the firewall will be connected to the MPLS on a 172.22.23.xx address but a rule on the firewall will only allow the range of office IP addresses through to the MPLS.

Is this the right train of thought ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.