Archived from groups: comp.security.firewalls (
More info?)
In article <4N6dnWaEjupLJnfd4p2dnA@adelphia.com>, grroberts@adelphia.net
says...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b4f80ff772bcc5398a72b@news-server.columbus.rr.com...
> > In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
> > says...
> > > So currently I have a cisco 1720 I can just take the NAT stuff off and
> pass
> > > everything through to the firewall. Do I just make the Ethernet port on
> the
> > > router the same as the public IP address on the serial interface or use
> a
> > > different public address I think the ISP gave us 3 or 4 of them.
> > >
> > > Sorry never set one of these up. Just trying to figure out my options
> > > before I do anything.
> >
> > I'm not exactly sure - the 1720 is a router, you should have X number of
> > IP, make the firewall public side the first of them, in fact, assign it
> > the fist IP in the series, then add the others, make sure that you get
> > the default gateway and the mask (it might be a /30) correct for the
> > public side.
> >
> > Once you get it setup for public, setup the trusted side with your
> > internal addresses - don't connect it to the network yet. Set the
> > firebox to provide DHCP services - just to test everything.
> >
> > Now, take one computer that is DHCP enabled, connect it to the LAN, same
> > one you are using to setup the FB will work - since you are going to
> > need the management interface. Connect the FB External to the CISCO,
> > connect the PC to the Trusted port, turn on the PC, get an IP, and as
> > long as you've permitted DNS and HTTP outbound, then you should be able
> > to browse to google.com and get a page.
> >
> > Now that you know the system works, you can expand on it from there.
> >
> > You could also leave the CISCO and router in place and set the FB up on
> > one of you unused public IP to test it - in fact, unless you are using
> > the other IP, I would suggest that you use one of those spare public
> > addresses until you get use to working with the FB.
> >
> > One more thing - please post at the BOTTOM of the message, it follows
> > usenet etiquette standards.
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> Sorry for all the questions but this is my first one. Just want to make
> sure I'm doing it
> right.
>
> Public IPs from the ISP - Not real numbers made up.
>
> serial block - 172.35.21.230/30
> Serial interface to router - 172.35.21.232
> Gateway (ISP) - 172.35.21.231
> Address Block - 172.35.21.192/29
> Network IP - 172.35.21.192
> Broadcast IP - 172.35.21.199
>
> Usable IPs - 172.75.23.193 - 172.75.23.198
>
>
> INTERNAL Network IPs.
> Gateway - 10.23.1.15
> Switch - 10.23.1.23
> users - 10.23.1.100 - 10.23.1.200
>
> Right now without the FB the router serial interface uses 172.35.21.232
> The Ethernet or internal interface uses 10.23.1.15
>
> The router is using NAT, when setting up the FB do I turn off NAT? What
> IPs does the router serial and ethernet interfaces become? What would the
> FB external interface become.
>
> I guess I'm trying to get an understanding of how it flows from the router
> to the
> firewall to the internal network just to have a better understanding of how
> it works.
>
> Thanks for all your help.
George - it's not a good idea to post all of your IP information to
newsgroups - you should send me an email to the address in my sig
(remove the 999 from it).
As for your setup:
It appears as though your router is assigning you a private IP address
from the ISP - they are using 172.X block, and that's fine for most
things, but we need to assign the firebox the PUBLIC IP Address, not a
NAT address. While you can use a NAT address on the EXTERNAL port of the
FB, I'm not entirely sure how things are going to work once you start
doing NAT on the TRUSTED ports of the firebox. What I mean is that it
should work, but that a double NAT often causes problems - get the
PUBLIC IP from your ISP and assign it to the firebox EXTERNAL port.
Next, you choice of IP for the TRUSTED LAN - The firebox is going to be
your internal default gateway for all of your systems in the trusted
area. In most cases, it's easiest to set the trusted interface to .1,
such as 10.23.1.1. Not sure about your Switch - if it's a managed switch
you will need an IP, but you need to get a spreadsheet setup with how
you are going to assign IP's in your network:
10.23.1.1 Gateway - Trusted Interface on Firewall
10.23.1.2~9 Other FW/security devices
10.23.1.10~19 Managed Switches and such
10.23.1.30~49 Servers and such fixed IP addresses
10.23.1.60~89 Network Printers, scanners, etc...
10.23.1.100~199 DHCP Scope for users systems
10.23.1.240~249 VPN Remote User Address - by firewall
10.24.1.1 Gateway - Optional Interface on Firewall
10.24.1.2~9 Other FW/security devices
10.24.1.10~19 Managed Switches and such
10.24.1.30~99 Web Servers and such - exposed systems
And the list goes on - this is all subjective and depends on your
network and what hardware/services you have in it.
Unless you have a really BIG network, don't use 10.0.0.0/8 for a subnet,
while it may seem easy/nice, it's a pain once you start trying to
segment your network. In a lot of cases a 10.0.0.0/24 network will do
for offices and SOHO users - I would suggest 192.168.10.0/24 in place of
a 10.0.0.0/8 network.
With the example I provided above, it would require that the 10.23 and
the 10.24 not be in the same network.
Now, as for getting from the External port to the trusted and inside:
External - public IP/GW
In the FB, make sure that you setup DNS with the ISP's DNS information
so that the FB can resolve external IP addresses.
Trusted - 10.23.1.1 (assigned to Trusted Port)
- 255.255.255.0
If you are running a DNS server in your network, get it setup and use
Forwarders to point to the ISP's DNS servers for anything that is not in
your local network.
As for flowing:
INTERNET
|
YOUR PUBLIC IP RANGE
|
YOUR ROUTER
|
YOUR ROUTERS IP RANGE (may also be natted)
|
FIREBOX External Interface - First Free IP from router, add others too
|
NAT Layer - Trusted 10.23.1.1/24 (10.23.1.1 is Trusted Interface IP)
|
NAT Layer - Optional 10.24.1.1/24 (10.24.1.1) is Optional Interface IP)
|
RULE SETS (determine in/out, ports, services)
|
Systems/Devices in Trusted or Optional Networks.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Facebook
Twitter
Instagram