Solved

How to confirue 2 different networks in one office with the same public ip address?

Posted on 2011-03-09
28
579 Views
Last Modified: 2012-05-11
Hi Experts:
I have a customer that has a network with the 192.168.1.0 network but
Windows SBS 2003 install, exchange server and IIS. He wants
to install a second server for a new business(Real Estate) in the same
office, using the same public ip, the server will be another SBS20003
with EXCHANGE SERVER and  IIS but He wants it completely
separate from the other business which means we will need to
use a different ip address inside the network.

Please advise.
0
Comment
Question by:chenzovicc
  • 11
  • 10
  • 6
  • +1
28 Comments
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35084853
I would say there's probably not much use in doing that if they're in the same building/office, provided you have enough IP addresses in the 192.168.1.0 range to accomodate the new systems adequately.

What kind of firewall do you have?

If you're running IIS and Exchange, and intend for them to be accessible from the outside world, you will need a second public IP address.
0
 
LVL 8

Expert Comment

by:GundogTrainer
ID: 35085269
You may find this causes some issues with DHCP as if client are on the same network without any physical or VLAN separation the client conputers on 1 network may get incorrect DHCP settings.

Also if there is only 1 public IP address then incoming mail would only be able to go to 1 server.
That said if your able to use separate hubs\switches and connected another router you could run say a 192.168.100.0/24 network with another router to connect to the existing network for internet.

After going to the expense of a dedicated server it would probably be easier to provision another internet feed or add a second public IP to the existing circuit.

0
 

Author Comment

by:chenzovicc
ID: 35086032
they have a Firewall Router WGT624 v3.
Gundog you mentioned:
That said if your able to use separate hubs\switches and connected another router you could run say a 192.168.100.0/24 network with another router to connect to the existing network for internet.

Do you have some links on how to do it step by step?.

Thanks
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35086757
That type of setup doesn't really lend itself well to a step-by-step guide - if you're not comfortable setting up these networking components it's probably in your best interest to contact a local IT professional to assist you.

I assume that IIS and Exchange on both servers need to be accessible from the outside world.  You will need a second public IP address if this is the case.  I'm inclined to agree with Gundog (http:#a35085269), and would recommend simply ordering a second, separate, internet connection from your cable company (or whoever you use) and setting up the new server & network just as you did for the first one.

If you must use the existing Internet connection for both networks, you're going to need a router/firewall that will allow you to assign multiple IP addresses to the WAN/Internet interface (quick glance at the documentation for your current router seems to indicate it does not).  Something like a Cisco PIX/ASA or a SonicWall, for instance.  Most routers/firewalls at that level of complexity will let you setup multiple separate networks on the inside interfaces, so you won't need more than one router.
0
 

Author Comment

by:chenzovicc
ID: 35087306
I have set up Cisco PIX/ASA but never 2 wan in a PIX/ASA. I will still need to have a cisco switch to  create VLANS and have different subnets because he wants one business with different subnets from the other. They are 2 different companies.
Please advise
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35088459
Definitely need 2 subnets (VLANs)

What router/firewall are you using now?
Many of the better ones will support multiple VLANs
0
 

Author Comment

by:chenzovicc
ID: 35089192
Firewall Router WGT624 v3.
I know this is not a good one so may need to purchase a better one maybe a PIX/ASA or I have a cisco 1900 enterprise edition in which I can create VLANS.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35089268
OK, the 1900 is good, now you just need a good firewall/router.
An ASA5505 is a good choice.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35094994
>> I have set up Cisco PIX/ASA but never 2 wan in a PIX/ASA.
I'm talking about two different public IP addresses on the same physical WAN interface, which would be the case if the two companies share the same internet connection.  If they're going to use separate internet connections, really you probably just need another Netgear/Linksys router and a switch for the new company.

>> I will still need to have a cisco switch to  create VLANS
Or use separate switches.
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 150 total points
ID: 35095227
The original post said they would use the same public IP...or did I miss something.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35095543
Yes, you must have missed that he wants to run two web servers and two mail servers, which can't be done with a single public IP address. ;)
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35095756
@ tgerbert    You're right, I did miss that.
0
 

Author Comment

by:chenzovicc
ID: 35132035
Hi guys. I already spoke to my customer who has VERIZON as his internet provider and he will get another ip address, now how do you route every public ip to their different subnet? For example if I have
1.- Public ip 100.108.1.90-----------------To 192.168.1.0
2.- Public ip 100.108.1.88-----------------To 172.16.0.0
Can you please advise as I have never done this before.

Thanks.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35132308
You won't be able to with the router you have now (if I understand correctly, you're getting a second IP address and not a second internet connection from Verzon).

The details will be dependant on the router and firewall you use.  Here's an example of a PIX configuration - note that in this config I'm assuming you have a layer-3 switch with two VLANs on it, whose IP address is 192.168.1.2.

clear configure all
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname whatever
domain-name whatever.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


!-- This access list allows incoming TCP traffic any any host
!-- that is destined for .90 or .88 and is of type www or smtp
access-list acl_inbound permit tcp any host 100.108.1.90 eq www
access-list acl_inbound permit tcp any host 100.108.1.90 eq smtp
access-list acl_inbound permit tcp any host 100.108.1.88 eq www
access-list acl_inbound permit tcp any host 100.108.1.88 eq smtp


pager lines 22
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500

!-- The outside interface's address will be given to you by ISP
!-- I will assume it's lower-numbered address
ip address outside 100.108.1.88 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400

!-- All outbound traffic will appear to originate from
!-- whatever IP address is assigned to the outside interface
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!-- Map incoming connections for 100.108.1.90 on the www port 
!-- to the internal host 172.16.0.10
static (inside,outside) tcp 100.108.1.90 www 172.16.0.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 100.108.1.90 smtp 172.16.0.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 100.108.1.88 www 192.168.1.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 100.108.1.88 smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

!-- apply the access-list defined earlier to traffic coming in on the outside interface
access-group acl_inbound in interface outside

!-- The default route for outbound traffic - provided by your ISP
route outside 0.0.0.0 0.0.0.0 100.108.1.88 1

!-- The pix will already know how to get to 192.168.1.0 since
!-- it's a directly connected network, but need to explicitly
!-- tell it how to get to 172.16.0.0, which is by way of the
!-- layer-3 switch whose IP address is 192.168.1.2
route inside 172.16.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
aaa-server local protocol tacacs+ 
aaa-server local max-failed-attempts 3 
aaa-server local deadtime 10 
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
ssh timeout 5
management-access inside
console timeout 0
terminal width 80

Open in new window

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:chenzovicc
ID: 35133402
I appreciate your reply tgerbert as I thank you for providing the configuration for the PIX which I did not
know how to do it before but now the problem is that this customer does not want to spend money
in a PIX/ASA but he wants something cheaper. Do you have any other suggestions and where to modify the configuration?.

Thanks
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35133433
Unless you simply get a second internet connection from Verizon and leave the two networks totally separate, I don't think you have any choice but to use a higher-end router, all of which I'd expect will cost about the same.  I guess it's a matter of perspective, but I don't think such routers/firewalls are terribly expensive, ~$500 I think.
0
 

Author Comment

by:chenzovicc
ID: 35133519
I agree with you but this guy is a cheap person.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35133647
Put it to him like this:

Either a one-time cost of ~$500 plus maybe $5-10/month for extra IPs
or
$60-100 per month for another circuit
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35139265
>> I agree with you but this guy is a cheap person

I kow the type, and if he's anything like my boss he also has no problem spending $10,000 for a gold-plated titanium toilet seat.

Anywho...kdearing put it perfectly, those are really your only two options.
0
 

Author Comment

by:chenzovicc
ID: 35153881
1.-Lets assume that we do not have a cisco switch as my customer is not willing in getting one but a regular switch.
2.-Will this configuration work with a cisco pix501?.
3.- If my customer buys a PIX/ASA Do we still need the cisco switch or we can only buy a linksys switch?.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35154046
Yes, with a separate internet circuit and a small switch.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35156560
2. Not as-is - I believe the PIX501 only supports a single VLAN on the inside interfaces.
3. Maybe. If the ASA you get will let you assign the inside interfaces to different VLANS (and give them different inside IP addresses), then you should only need a basic Linksys switch; if the firewall only supports one inside IP address, then you will need a switch that is layer-3 capable to route between 192.168.1.0 and 172.16.0.0.
0
 

Author Comment

by:chenzovicc
ID: 35157995
Let me ask you. Can I use the CISCO PIX501 and a cisco switch layer 3 and it will work?
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35158036
Yes.
0
 

Author Comment

by:chenzovicc
ID: 35167548
I was checking on the switch I have and is a Cisco 1912 with 12 ports, I have enterprise edition, I can create VLANS an according to the book this switch is a layer 2 not a layer 3 as we were talking.
Can you please advise what is the config that I should do on the switch if this is the correct switch?.

Please advise
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 350 total points
ID: 35168475
You're beginning to extend yourself a little beyond a single 500-point question. ;)

"How do I configure a computer network" is a wee-bit too broad of a question for this type of forum - I believe your original question has been answered (and then some), plus I need to move on from this question, so I recommend you consult a network professional and/or report back here with more specific questions should you have any.

Computer networking is a complex task, and so there are a billion variations to this suggestion, and setting it up correctly will require a pretty decent understanding of layer 2 VLAN'ing, IP addressing and routing - unfrotunately I really don't have the attention span to cover all the background knowledge you'll need to successfully implement this. =)

You need a layer-3 switch because you need to be able to route between the VLANs, and if memory serves the 1912 does not do that.

This diagram depicts what I'm envisioning (hopefully I didn't screw up the picture), and this is basically how the routing works:
Incoming traffic for 100.108.1.90
The PIX maps 100.108.1.90 to 192.168.1.3
The PIX knows 192.168.1.0/0 is connected to the inside interface
Traffic goes out the inside interface, reaches the switch, the switch knows 192.168.1.3 is on port 1
Incoming traffic for 100.108.1.88
The PIX maps 100.108.1.88 to 172.16.0.2
The PIX has a static route defined, so it knows to send traffic destined for 172.16.0.0/0 to 192.168.1.2
The PIX knows how to get to 192.168.1.2 because it's on a directly-connected interface
192.168.1.2 knows how to get to 172.16.0.0/0 because it's a direct interface
172.16.0.1 knows that 172.16.0.2 is on port 13

Outgoing from 192.168.1.3
The default route is the PIX

Outgoing from 172.16.0.2
Default route is 172.16.01
172.16.0.1 default route is 192.168.1.1
172.16.0.1 knows how to reach 192.168.0.0 because it's direct connected
NetDiagram.jpg
0
 

Author Closing Comment

by:chenzovicc
ID: 35169488
Thanks guys for your help.
On one of your postings you mentioned that the 1900 switch was good for the VLANS and now you mention that does not have enough memory tgerbert, I am sorry if  you feel upset but I can ask as many questions as I like because I am paying for it. You have the option not to reply but on your last posting you answered my question completely with a nice explanation and a drawing, now I got it.

Thanks.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 35169862
No worries - not upset - just starting to lose track of where we are in this discussion, makes it hard to give accurate advice - I am the poster child of Adult ADD. ;)

kdearing suggested the 1912 might work, not me, and he may be 100% right. I was going off memory on that - and thought you had commented that it was only layer 2. I poked around a bit on Cisco's site, and I'm still not sure - if the switch isn't currently being used I would just setup a simple test network (I thought I remembered trying to do just about the same thing with my 1912 and couldn't because it didn't support InterVLAN routing, but maybe that's just because mine wasn't Enterprise - or possibly not even a 1912).

You also could use two crappy switches, and a separate router to get from one network to the other.

Also, keep in mind that while you may pay Experts Exchange for use of their site, you don't pay us - we're all volunteers, the only compensation we get is points. I'm happy to help, enjoy that your questions challenge me, and I've learned a lot in the process of helping other people.  But I'm greedy and would prefer askers of questions post many small questions instead of one big one so I can rack up the points. :-)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now