Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Networking, CIDR Routing + TMG2010

Posted on 2013-01-18
7
Medium Priority
?
733 Views
Last Modified: 2013-05-19
Mission: Integrate new CIDR block.

I have recently been assigned a CIDR Block. This block will have 32 IPs in it and I need to setup the routing/nating.

Here is what i have now: 1xTMG2010 Server this server is currently used as my gateway/edge firewall, NAT, router - very similar to a Sonicwall or Netscreen.

The above scenario works like this:

1) Public IPs assigned to 1 network interface on my TMG server (64.80.x.x)
2) 1 Netgear Switch (TMG server is plugged into it)
3) Second NIC on my TMG server with a range of 192.168.1.x

The above is working as expected, i ordered more IPs because i am setting up new servers and need the additional IPs.

Here is what i need to accomplish:

I have a Netgear FVS336G, and of course my TMG server. I now need to setup CIDR based routing. I have been told by cox that if i want anymore than 8 ips i have to have my own routing hardware. << My Netgear FVS firewall does support this.

My new block is as follows:

Customer:
68.xxx.xxx.65 < Gateway
255.255.255.224 < Mask
Usable: 68.xxx.xxx.66-92

WAN:
57.224.xxx.100 : WAN IP
255.255.255.240 : Mask
57.224.xxx.97: Gateway


Internal Network: (Stays the same) All of my servers are connected on the internal network.
192.168.1.x
255.255.255.255.0
192.168.1.225 < TMG Server, This is what i currently point my client PCs to for the default gateway.

I want to accomplish the following: 1) Have all traffic pass through both firewalls (TMG + Netgear) 2) Double-NAT is not an acceptable solution

The Netgear firewall (WAN Side) will be the device that is connected to the Cable Modem, The TMG firewall will be connected to the (LAN Side) of the firewall.

I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Can i assign 1 of my "Public IPs" on my (LAN Side) of the firewall?

And then the rest of them on my "TMG External NIC" that is connected to the LAN side of my firewall?

Thats where i am getting lost since i cant use Double-NAT but i still want to use my TMG firewall.

Sorry if this is confusing i am having a hard time understanding how to make this work correctly and am so hoping someone can assist....

Thanks....
0
Comment
Question by:castellansolutions
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:itguy565
ID: 38795712
I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Does your router support 1 to 1 NAT?
0
 
LVL 6

Author Comment

by:castellansolutions
ID: 38795754
Yes. It does. Here is what i tried:

1) I set the ISPs WAN IP on my WAN1 port of the Netgear, i plugged that in to the cable modem.
2) I set the LAN Port on the netgear to my WAN IP
3) I enabled Classical Routing

I cannot ping anything from my laptpo which i set to 1 one of my other Public IPs. So it didnt work at all. If i enable NAT then it all works as expected except i get the external IP of my ISP. And not my static IPs.

This is with my laptop and nothing else in between.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38795769
Wait, you are setting Public IP's on all your devices? Including your laptops? No wonder I was getting confused.


How many devices do you need to ping from the outside? IE. device you "DO NOT" want to be protected by your firewall.

This is in effect what you are doing when you give a device a public ip address directly. You also need to give that same device the ISP's DNS servers as well as the proper gateway.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 71

Expert Comment

by:Qlemo
ID: 38798250
Set up the Netgear to route inbound traffic for the network 68.xxx.xxx.64/27 to the "public" NIC of your TMG. You can still implement firewall rules on Netgear, if needed, but TMG should be the "main" firewall, as it controls the NATting.

On TMG implement 1:1 NAT (or service based NAT, whatever you intend to do). For 1:1 NAT see http://www.isaserver.org/tutorials/Configuring-One-to-One-NAT-TMG-2010.html .

If done correctly, public IPs are mapped to private IPs back and forth. Tests from inside might not work, depending on how the firewall rules are defined. In addition I'm not positive the TMG handles "hair-pinned" traffic correctly.

I do NOT recommend to try to route the public IPs thru TMG, as that would require to build a third, separated network (DMZ).
0
 
LVL 6

Author Comment

by:castellansolutions
ID: 38798807
Ok so here is an update. I was trying to get this to work using just my laptop, firewall (netgear) and my cable modem.

I put the IPs in the correct place (Customer: LAN Side) (Provider: WAN Side) and was unable to route any traffic from my IPs to the internet or even my default gateway on the WAN side. But i could ping from my WAN Side.

I called COX and sure enough my routed CIDR Block isnt being routed yet. I have a ticket open and am waiting for them to resolve the issue.
0
 
LVL 6

Author Comment

by:castellansolutions
ID: 39178611
I've requested that this question be deleted for the following reason:

Issue self resolved
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 39178600
Presumably it didn't resolve itself, but the routing at COX was implemented ...
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question