• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

Using static IP address somewhat safely

I have 6 static IP addresses and have a linux based email server, as well as linux based web servers. What is the best way to set them up somewhat safely? I was originally going to set them up behind an existing sonicwall or watchguard, but nothing works I have tried or I am an idiot, or both, but I need these running rather quickly.
0
ITmanage
Asked:
ITmanage
  • 7
  • 5
  • 2
1 Solution
 
HarsemCommented:
Hello,

6 static IP addresses is not a lot, so you could use the 192.168.0.0/24 range.

Give your:
sonicwall (or watchguard) 192.168.0.1/24
E-Mail 192.168.0.10/24
Web Server(s): 192.168.0.20/24, 192.168.0.21/24, 192.168.0.22/24 etc
And then your clients 192.168.0.50/24, 192.168.0.51/24 etc

Then all should be able to tlak to each other.

Please let me know if this helps.

Jens

FYI: /24 = 255.255.255.0
0
 
ITmanageAuthor Commented:
My problem is I have the sonicwall set up with one static IP coming from the ISP (fiber optic blade) I need NAT set up from external IP's to private IP addresses, and all the rules I have tried have not worked. Used the wizards, etc. Still nothing. I can set up the servers straight to the secondary port that has the IP addresses but that is obviously not safe.
0
 
HarsemCommented:
Hello,

I am sorry, I have mis-interpreted your question.

As I have no experience with Sonicwall or watchguard (only other firewalls) I am of little help here.

Sorry.

Jens
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
giltjrCommented:
So you want to NAT each of these addresses with their own public IP address.

Which model SonicWall and Watchguard do you have?
0
 
ITmanageAuthor Commented:
Yes I do. I have a sonicwall tz205 and a watchguard XTM25. I am currently using the sonicwall with the primary internet connection and our small company. I have one linux webserver on the static IP on that primary connection as well as a VPN set up. I was originally going to set up the OPT interface for the secondary port and all the static IP addresses, but this appeared above my head. I have an extra watchguard as a backup security appliance and figured hey, I will use this, that way I have some network separation, and it should be fairly easy using 1-to-1 NAT, but I can't get anything to work.
0
 
ITmanageAuthor Commented:
Been trying the sonicwall again today. 6 Static IP addresses assigned from ISP. Dot 161 is gateway and goes through dot 166. They told me nothing about assigning one of the static IP addresses to the WAN interface of the OPT sonicwall interface, so I just assigned dot 162 and can appear to ping out. I read something about upstream routing, so wondering if there is a reason traffic couldn't get to my email server (dot 163) because it can can't find an alive host on that IP address even through NAT because I assigned the dot 162 to the wan port statically. Anyway, tried static routes, as well as static ARP via sonicwall forums, yet still get nothing. The ONLY way I have been able to communicate with my email server (haven't tested the others) is to connect a switch straight to the ISP port on the blade and assign the email server one of the static IP addresses.
0
 
ITmanageAuthor Commented:
here is a link to somewhat what I want (pic)

http://www.gliffy.com/go/publish/4255593/

Of course I will separate the other servers from the main switch for security purposes if I can get this working.
0
 
giltjrCommented:
I will have to double check the doc on the TZ205.  I don't think it can do one to one NAT.

I will also check the Watchguard XTM25, I believe it can do one to one NAT.
0
 
ITmanageAuthor Commented:
I appreciate it. I have looked and looked. I kind of gave up on the watchguard quickly because of the strange interface. I tried the one-to-one NAT, but either I was forgetting some other things, or something was set up wrong with the initial config with the static IP etc.
0
 
giltjrCommented:
The TZ 205 can do one to one NAT.

You can download the manual here: http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=456&dl=1

This is for Sonic OS 5.8.  If you have a different OS it may not be exactly the same, but close.

Go to page 334 and the instructions are there.  Basically you are going to create 6 NAT policies, one for each internal/private IP address you want to NAT.

Original source: your inside IP address
Translated source: the public IP address you want to use.
Original destination: "ANY"
Translated destination: "ORIGINAL"
Original service: "ANY"
Translated Service "ORIGINAL"
Inbound Interface: X0
Outbound Interface: X2
Check the box for creating reflective policy.  This will allow inbound traffic.
0
 
giltjrCommented:
Oh, I am assuming that the Internet connection on X1 and X2 are going to two different ISP's, or are on different IP subnets.

If they are going to the same ISP then X1 and X2 would need to connect to a switch that has your ISP's router connected to it also.
0
 
ITmanageAuthor Commented:
They are going to the same isp but are on different subnets, and are on different ports on the isp blade. I will vpn tomorrow and test this. Thanks for your time.
0
 
giltjrCommented:
As long as the ISP is routing each subnet separately it should work.

However, some setups where the ISP gives you two subnets, they use one as a routing only subnet and the other for your hosts.  You need to make sure they are routing the subnets independently of each other.
0
 
ITmanageAuthor Commented:
Sorry, haven't had a chance to work on this any further. Just received a new server system UPS which is conveniently DOA. Will attempt to try again tomorrow.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now