Solved

Using static IP address somewhat safely

Posted on 2013-01-24
14
417 Views
Last Modified: 2013-02-01
I have 6 static IP addresses and have a linux based email server, as well as linux based web servers. What is the best way to set them up somewhat safely? I was originally going to set them up behind an existing sonicwall or watchguard, but nothing works I have tried or I am an idiot, or both, but I need these running rather quickly.
0
Comment
Question by:ITmanage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 5

Expert Comment

by:Harsem
ID: 38816603
Hello,

6 static IP addresses is not a lot, so you could use the 192.168.0.0/24 range.

Give your:
sonicwall (or watchguard) 192.168.0.1/24
E-Mail 192.168.0.10/24
Web Server(s): 192.168.0.20/24, 192.168.0.21/24, 192.168.0.22/24 etc
And then your clients 192.168.0.50/24, 192.168.0.51/24 etc

Then all should be able to tlak to each other.

Please let me know if this helps.

Jens

FYI: /24 = 255.255.255.0
0
 

Author Comment

by:ITmanage
ID: 38816625
My problem is I have the sonicwall set up with one static IP coming from the ISP (fiber optic blade) I need NAT set up from external IP's to private IP addresses, and all the rules I have tried have not worked. Used the wizards, etc. Still nothing. I can set up the servers straight to the secondary port that has the IP addresses but that is obviously not safe.
0
 
LVL 5

Expert Comment

by:Harsem
ID: 38816668
Hello,

I am sorry, I have mis-interpreted your question.

As I have no experience with Sonicwall or watchguard (only other firewalls) I am of little help here.

Sorry.

Jens
0
Get Database Help Now w/ Support & Database Audit

Keeping your database environment tuned, optimized and high-performance is key to achieving business goals. If your database goes down, so does your business. Percona experts have a long history of helping enterprises ensure their databases are running smoothly.

 
LVL 57

Expert Comment

by:giltjr
ID: 38816949
So you want to NAT each of these addresses with their own public IP address.

Which model SonicWall and Watchguard do you have?
0
 

Author Comment

by:ITmanage
ID: 38818540
Yes I do. I have a sonicwall tz205 and a watchguard XTM25. I am currently using the sonicwall with the primary internet connection and our small company. I have one linux webserver on the static IP on that primary connection as well as a VPN set up. I was originally going to set up the OPT interface for the secondary port and all the static IP addresses, but this appeared above my head. I have an extra watchguard as a backup security appliance and figured hey, I will use this, that way I have some network separation, and it should be fairly easy using 1-to-1 NAT, but I can't get anything to work.
0
 

Author Comment

by:ITmanage
ID: 38820111
Been trying the sonicwall again today. 6 Static IP addresses assigned from ISP. Dot 161 is gateway and goes through dot 166. They told me nothing about assigning one of the static IP addresses to the WAN interface of the OPT sonicwall interface, so I just assigned dot 162 and can appear to ping out. I read something about upstream routing, so wondering if there is a reason traffic couldn't get to my email server (dot 163) because it can can't find an alive host on that IP address even through NAT because I assigned the dot 162 to the wan port statically. Anyway, tried static routes, as well as static ARP via sonicwall forums, yet still get nothing. The ONLY way I have been able to communicate with my email server (haven't tested the others) is to connect a switch straight to the ISP port on the blade and assign the email server one of the static IP addresses.
0
 

Author Comment

by:ITmanage
ID: 38820285
here is a link to somewhat what I want (pic)

http://www.gliffy.com/go/publish/4255593/

Of course I will separate the other servers from the main switch for security purposes if I can get this working.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38820605
I will have to double check the doc on the TZ205.  I don't think it can do one to one NAT.

I will also check the Watchguard XTM25, I believe it can do one to one NAT.
0
 

Author Comment

by:ITmanage
ID: 38820643
I appreciate it. I have looked and looked. I kind of gave up on the watchguard quickly because of the strange interface. I tried the one-to-one NAT, but either I was forgetting some other things, or something was set up wrong with the initial config with the static IP etc.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38820664
The TZ 205 can do one to one NAT.

You can download the manual here: http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=456&dl=1

This is for Sonic OS 5.8.  If you have a different OS it may not be exactly the same, but close.

Go to page 334 and the instructions are there.  Basically you are going to create 6 NAT policies, one for each internal/private IP address you want to NAT.

Original source: your inside IP address
Translated source: the public IP address you want to use.
Original destination: "ANY"
Translated destination: "ORIGINAL"
Original service: "ANY"
Translated Service "ORIGINAL"
Inbound Interface: X0
Outbound Interface: X2
Check the box for creating reflective policy.  This will allow inbound traffic.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38820673
Oh, I am assuming that the Internet connection on X1 and X2 are going to two different ISP's, or are on different IP subnets.

If they are going to the same ISP then X1 and X2 would need to connect to a switch that has your ISP's router connected to it also.
0
 

Author Comment

by:ITmanage
ID: 38821256
They are going to the same isp but are on different subnets, and are on different ports on the isp blade. I will vpn tomorrow and test this. Thanks for your time.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38822123
As long as the ISP is routing each subnet separately it should work.

However, some setups where the ISP gives you two subnets, they use one as a routing only subnet and the other for your hosts.  You need to make sure they are routing the subnets independently of each other.
0
 

Author Comment

by:ITmanage
ID: 38827845
Sorry, haven't had a chance to work on this any further. Just received a new server system UPS which is conveniently DOA. Will attempt to try again tomorrow.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question