Solved

Using static IP address somewhat safely

Posted on 2013-01-24
14
408 Views
Last Modified: 2013-02-01
I have 6 static IP addresses and have a linux based email server, as well as linux based web servers. What is the best way to set them up somewhat safely? I was originally going to set them up behind an existing sonicwall or watchguard, but nothing works I have tried or I am an idiot, or both, but I need these running rather quickly.
0
Comment
Question by:ITmanage
  • 7
  • 5
  • 2
14 Comments
 
LVL 5

Expert Comment

by:Harsem
Comment Utility
Hello,

6 static IP addresses is not a lot, so you could use the 192.168.0.0/24 range.

Give your:
sonicwall (or watchguard) 192.168.0.1/24
E-Mail 192.168.0.10/24
Web Server(s): 192.168.0.20/24, 192.168.0.21/24, 192.168.0.22/24 etc
And then your clients 192.168.0.50/24, 192.168.0.51/24 etc

Then all should be able to tlak to each other.

Please let me know if this helps.

Jens

FYI: /24 = 255.255.255.0
0
 

Author Comment

by:ITmanage
Comment Utility
My problem is I have the sonicwall set up with one static IP coming from the ISP (fiber optic blade) I need NAT set up from external IP's to private IP addresses, and all the rules I have tried have not worked. Used the wizards, etc. Still nothing. I can set up the servers straight to the secondary port that has the IP addresses but that is obviously not safe.
0
 
LVL 5

Expert Comment

by:Harsem
Comment Utility
Hello,

I am sorry, I have mis-interpreted your question.

As I have no experience with Sonicwall or watchguard (only other firewalls) I am of little help here.

Sorry.

Jens
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
So you want to NAT each of these addresses with their own public IP address.

Which model SonicWall and Watchguard do you have?
0
 

Author Comment

by:ITmanage
Comment Utility
Yes I do. I have a sonicwall tz205 and a watchguard XTM25. I am currently using the sonicwall with the primary internet connection and our small company. I have one linux webserver on the static IP on that primary connection as well as a VPN set up. I was originally going to set up the OPT interface for the secondary port and all the static IP addresses, but this appeared above my head. I have an extra watchguard as a backup security appliance and figured hey, I will use this, that way I have some network separation, and it should be fairly easy using 1-to-1 NAT, but I can't get anything to work.
0
 

Author Comment

by:ITmanage
Comment Utility
Been trying the sonicwall again today. 6 Static IP addresses assigned from ISP. Dot 161 is gateway and goes through dot 166. They told me nothing about assigning one of the static IP addresses to the WAN interface of the OPT sonicwall interface, so I just assigned dot 162 and can appear to ping out. I read something about upstream routing, so wondering if there is a reason traffic couldn't get to my email server (dot 163) because it can can't find an alive host on that IP address even through NAT because I assigned the dot 162 to the wan port statically. Anyway, tried static routes, as well as static ARP via sonicwall forums, yet still get nothing. The ONLY way I have been able to communicate with my email server (haven't tested the others) is to connect a switch straight to the ISP port on the blade and assign the email server one of the static IP addresses.
0
 

Author Comment

by:ITmanage
Comment Utility
here is a link to somewhat what I want (pic)

http://www.gliffy.com/go/publish/4255593/

Of course I will separate the other servers from the main switch for security purposes if I can get this working.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I will have to double check the doc on the TZ205.  I don't think it can do one to one NAT.

I will also check the Watchguard XTM25, I believe it can do one to one NAT.
0
 

Author Comment

by:ITmanage
Comment Utility
I appreciate it. I have looked and looked. I kind of gave up on the watchguard quickly because of the strange interface. I tried the one-to-one NAT, but either I was forgetting some other things, or something was set up wrong with the initial config with the static IP etc.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
The TZ 205 can do one to one NAT.

You can download the manual here: http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=456&dl=1

This is for Sonic OS 5.8.  If you have a different OS it may not be exactly the same, but close.

Go to page 334 and the instructions are there.  Basically you are going to create 6 NAT policies, one for each internal/private IP address you want to NAT.

Original source: your inside IP address
Translated source: the public IP address you want to use.
Original destination: "ANY"
Translated destination: "ORIGINAL"
Original service: "ANY"
Translated Service "ORIGINAL"
Inbound Interface: X0
Outbound Interface: X2
Check the box for creating reflective policy.  This will allow inbound traffic.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Oh, I am assuming that the Internet connection on X1 and X2 are going to two different ISP's, or are on different IP subnets.

If they are going to the same ISP then X1 and X2 would need to connect to a switch that has your ISP's router connected to it also.
0
 

Author Comment

by:ITmanage
Comment Utility
They are going to the same isp but are on different subnets, and are on different ports on the isp blade. I will vpn tomorrow and test this. Thanks for your time.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
As long as the ISP is routing each subnet separately it should work.

However, some setups where the ISP gives you two subnets, they use one as a routing only subnet and the other for your hosts.  You need to make sure they are routing the subnets independently of each other.
0
 

Author Comment

by:ITmanage
Comment Utility
Sorry, haven't had a chance to work on this any further. Just received a new server system UPS which is conveniently DOA. Will attempt to try again tomorrow.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now