Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 736
  • Last Modified:

Networking, CIDR Routing + TMG2010

Mission: Integrate new CIDR block.

I have recently been assigned a CIDR Block. This block will have 32 IPs in it and I need to setup the routing/nating.

Here is what i have now: 1xTMG2010 Server this server is currently used as my gateway/edge firewall, NAT, router - very similar to a Sonicwall or Netscreen.

The above scenario works like this:

1) Public IPs assigned to 1 network interface on my TMG server (64.80.x.x)
2) 1 Netgear Switch (TMG server is plugged into it)
3) Second NIC on my TMG server with a range of 192.168.1.x

The above is working as expected, i ordered more IPs because i am setting up new servers and need the additional IPs.

Here is what i need to accomplish:

I have a Netgear FVS336G, and of course my TMG server. I now need to setup CIDR based routing. I have been told by cox that if i want anymore than 8 ips i have to have my own routing hardware. << My Netgear FVS firewall does support this.

My new block is as follows:

68.xxx.xxx.65 < Gateway < Mask
Usable: 68.xxx.xxx.66-92

57.224.xxx.100 : WAN IP : Mask
57.224.xxx.97: Gateway

Internal Network: (Stays the same) All of my servers are connected on the internal network.
192.168.1.x < TMG Server, This is what i currently point my client PCs to for the default gateway.

I want to accomplish the following: 1) Have all traffic pass through both firewalls (TMG + Netgear) 2) Double-NAT is not an acceptable solution

The Netgear firewall (WAN Side) will be the device that is connected to the Cable Modem, The TMG firewall will be connected to the (LAN Side) of the firewall.

I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Can i assign 1 of my "Public IPs" on my (LAN Side) of the firewall?

And then the rest of them on my "TMG External NIC" that is connected to the LAN side of my firewall?

Thats where i am getting lost since i cant use Double-NAT but i still want to use my TMG firewall.

Sorry if this is confusing i am having a hard time understanding how to make this work correctly and am so hoping someone can assist....

  • 3
  • 2
  • 2
1 Solution
I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Does your router support 1 to 1 NAT?
castellansolutionsAuthor Commented:
Yes. It does. Here is what i tried:

1) I set the ISPs WAN IP on my WAN1 port of the Netgear, i plugged that in to the cable modem.
2) I set the LAN Port on the netgear to my WAN IP
3) I enabled Classical Routing

I cannot ping anything from my laptpo which i set to 1 one of my other Public IPs. So it didnt work at all. If i enable NAT then it all works as expected except i get the external IP of my ISP. And not my static IPs.

This is with my laptop and nothing else in between.
Wait, you are setting Public IP's on all your devices? Including your laptops? No wonder I was getting confused.

How many devices do you need to ping from the outside? IE. device you "DO NOT" want to be protected by your firewall.

This is in effect what you are doing when you give a device a public ip address directly. You also need to give that same device the ISP's DNS servers as well as the proper gateway.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

QlemoC++ DeveloperCommented:
Set up the Netgear to route inbound traffic for the network 68.xxx.xxx.64/27 to the "public" NIC of your TMG. You can still implement firewall rules on Netgear, if needed, but TMG should be the "main" firewall, as it controls the NATting.

On TMG implement 1:1 NAT (or service based NAT, whatever you intend to do). For 1:1 NAT see http://www.isaserver.org/tutorials/Configuring-One-to-One-NAT-TMG-2010.html .

If done correctly, public IPs are mapped to private IPs back and forth. Tests from inside might not work, depending on how the firewall rules are defined. In addition I'm not positive the TMG handles "hair-pinned" traffic correctly.

I do NOT recommend to try to route the public IPs thru TMG, as that would require to build a third, separated network (DMZ).
castellansolutionsAuthor Commented:
Ok so here is an update. I was trying to get this to work using just my laptop, firewall (netgear) and my cable modem.

I put the IPs in the correct place (Customer: LAN Side) (Provider: WAN Side) and was unable to route any traffic from my IPs to the internet or even my default gateway on the WAN side. But i could ping from my WAN Side.

I called COX and sure enough my routed CIDR Block isnt being routed yet. I have a ticket open and am waiting for them to resolve the issue.
castellansolutionsAuthor Commented:
I've requested that this question be deleted for the following reason:

Issue self resolved
QlemoC++ DeveloperCommented:
Presumably it didn't resolve itself, but the routing at COX was implemented ...

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now