Solved

Networking, CIDR Routing + TMG2010

Posted on 2013-01-18
7
713 Views
Last Modified: 2013-05-19
Mission: Integrate new CIDR block.

I have recently been assigned a CIDR Block. This block will have 32 IPs in it and I need to setup the routing/nating.

Here is what i have now: 1xTMG2010 Server this server is currently used as my gateway/edge firewall, NAT, router - very similar to a Sonicwall or Netscreen.

The above scenario works like this:

1) Public IPs assigned to 1 network interface on my TMG server (64.80.x.x)
2) 1 Netgear Switch (TMG server is plugged into it)
3) Second NIC on my TMG server with a range of 192.168.1.x

The above is working as expected, i ordered more IPs because i am setting up new servers and need the additional IPs.

Here is what i need to accomplish:

I have a Netgear FVS336G, and of course my TMG server. I now need to setup CIDR based routing. I have been told by cox that if i want anymore than 8 ips i have to have my own routing hardware. << My Netgear FVS firewall does support this.

My new block is as follows:

Customer:
68.xxx.xxx.65 < Gateway
255.255.255.224 < Mask
Usable: 68.xxx.xxx.66-92

WAN:
57.224.xxx.100 : WAN IP
255.255.255.240 : Mask
57.224.xxx.97: Gateway


Internal Network: (Stays the same) All of my servers are connected on the internal network.
192.168.1.x
255.255.255.255.0
192.168.1.225 < TMG Server, This is what i currently point my client PCs to for the default gateway.

I want to accomplish the following: 1) Have all traffic pass through both firewalls (TMG + Netgear) 2) Double-NAT is not an acceptable solution

The Netgear firewall (WAN Side) will be the device that is connected to the Cable Modem, The TMG firewall will be connected to the (LAN Side) of the firewall.

I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Can i assign 1 of my "Public IPs" on my (LAN Side) of the firewall?

And then the rest of them on my "TMG External NIC" that is connected to the LAN side of my firewall?

Thats where i am getting lost since i cant use Double-NAT but i still want to use my TMG firewall.

Sorry if this is confusing i am having a hard time understanding how to make this work correctly and am so hoping someone can assist....

Thanks....
0
Comment
Question by:castellansolutions
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:itguy565
ID: 38795712
I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Does your router support 1 to 1 NAT?
0
 
LVL 6

Author Comment

by:castellansolutions
ID: 38795754
Yes. It does. Here is what i tried:

1) I set the ISPs WAN IP on my WAN1 port of the Netgear, i plugged that in to the cable modem.
2) I set the LAN Port on the netgear to my WAN IP
3) I enabled Classical Routing

I cannot ping anything from my laptpo which i set to 1 one of my other Public IPs. So it didnt work at all. If i enable NAT then it all works as expected except i get the external IP of my ISP. And not my static IPs.

This is with my laptop and nothing else in between.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38795769
Wait, you are setting Public IP's on all your devices? Including your laptops? No wonder I was getting confused.


How many devices do you need to ping from the outside? IE. device you "DO NOT" want to be protected by your firewall.

This is in effect what you are doing when you give a device a public ip address directly. You also need to give that same device the ISP's DNS servers as well as the proper gateway.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 68

Expert Comment

by:Qlemo
ID: 38798250
Set up the Netgear to route inbound traffic for the network 68.xxx.xxx.64/27 to the "public" NIC of your TMG. You can still implement firewall rules on Netgear, if needed, but TMG should be the "main" firewall, as it controls the NATting.

On TMG implement 1:1 NAT (or service based NAT, whatever you intend to do). For 1:1 NAT see http://www.isaserver.org/tutorials/Configuring-One-to-One-NAT-TMG-2010.html .

If done correctly, public IPs are mapped to private IPs back and forth. Tests from inside might not work, depending on how the firewall rules are defined. In addition I'm not positive the TMG handles "hair-pinned" traffic correctly.

I do NOT recommend to try to route the public IPs thru TMG, as that would require to build a third, separated network (DMZ).
0
 
LVL 6

Author Comment

by:castellansolutions
ID: 38798807
Ok so here is an update. I was trying to get this to work using just my laptop, firewall (netgear) and my cable modem.

I put the IPs in the correct place (Customer: LAN Side) (Provider: WAN Side) and was unable to route any traffic from my IPs to the internet or even my default gateway on the WAN side. But i could ping from my WAN Side.

I called COX and sure enough my routed CIDR Block isnt being routed yet. I have a ticket open and am waiting for them to resolve the issue.
0
 
LVL 6

Author Comment

by:castellansolutions
ID: 39178611
I've requested that this question be deleted for the following reason:

Issue self resolved
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39178600
Presumably it didn't resolve itself, but the routing at COX was implemented ...
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now