Tech:NAT subnet routing question

G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

Have been searching google but have not found a similar question posted.

We have a Private wide area network connected via ATM. There are 13
buildings each with a router. Each building has there own subnet and DHCP
server. All the routers connect back to main router via ATM through
serial ports and I believe PVCs. Connectivity between buildings is
working very well no problem pinging addresses or DNS names outside of
any building. The main router is connected to our ISP and also a LAN in
our admin building. The main router internet connection is connected to a
switch along with the firewall external NIC. The other ethernet port is
connected to another switch which is connected to the internal NIC of the
firewall and all the client computers. I am currently trying to setup a
firewall with NAT at our main location with the Internet connection for
all clients in all buildings to connect to the Internet. Here is a quick
overview of my setup and more on my problem below that.

++++++++++++++++++++++++++++++++++++++++++++++++++
Subnetmask 10.0.0.0/21 255.255.248.0

Routers - serial connection over ATM

Main building
Router 209.204.5.1
10.0.16.1
All the serial connections 10.0.8.x

Clients are configured via DHCP
10.0.16.52-10.0.23.254
gateway 10.0.16.1
mask 255.255.248.0

Firewall/NAT 10.0.16.2
209.204.5.2
Gateway 209.204.5.1

Example Remote Subnet
Gateway 10.0.24.1
Mask 255.255.248.0
+++++++++++++++++++++++++++++++++++++++++++++++++++

The Firewall running NAT works fine in the main office location where the
server is part of the LAN, only if I set the clients gateway to
10.0.16.2. I have not had much luck entering 2 gateways on the client. I
know I should add a route but to where and what would the route be. Also
should the clients be configured to use multiple gateways.

Then my remote subnets also need to be able to get seamless internet
acces via the firewall running NAT. What route and gateway modifcations
should be made here.


Thank you,

John Pursglove
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

Is there a reason you can't make a hard swap? If you want some LAN's to go
through the new firewall, you can create a route-map in the main router to
send traffic to the new firewall.

neteng

"John Pursglove" <spamjp@pennsauken.net> wrote in message
news:Xns952677A1AC422jpursglovepennsauken@207.103.26.26...
> Have been searching google but have not found a similar question posted.
>
> We have a Private wide area network connected via ATM. There are 13
> buildings each with a router. Each building has there own subnet and DHCP
> server. All the routers connect back to main router via ATM through
> serial ports and I believe PVCs. Connectivity between buildings is
> working very well no problem pinging addresses or DNS names outside of
> any building. The main router is connected to our ISP and also a LAN in
> our admin building. The main router internet connection is connected to a
> switch along with the firewall external NIC. The other ethernet port is
> connected to another switch which is connected to the internal NIC of the
> firewall and all the client computers. I am currently trying to setup a
> firewall with NAT at our main location with the Internet connection for
> all clients in all buildings to connect to the Internet. Here is a quick
> overview of my setup and more on my problem below that.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++
> Subnetmask 10.0.0.0/21 255.255.248.0
>
> Routers - serial connection over ATM
>
> Main building
> Router 209.204.5.1
> 10.0.16.1
> All the serial connections 10.0.8.x
>
> Clients are configured via DHCP
> 10.0.16.52-10.0.23.254
> gateway 10.0.16.1
> mask 255.255.248.0
>
> Firewall/NAT 10.0.16.2
> 209.204.5.2
> Gateway 209.204.5.1
>
> Example Remote Subnet
> Gateway 10.0.24.1
> Mask 255.255.248.0
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> The Firewall running NAT works fine in the main office location where the
> server is part of the LAN, only if I set the clients gateway to
> 10.0.16.2. I have not had much luck entering 2 gateways on the client. I
> know I should add a route but to where and what would the route be. Also
> should the clients be configured to use multiple gateways.
>
> Then my remote subnets also need to be able to get seamless internet
> acces via the firewall running NAT. What route and gateway modifcations
> should be made here.
>
>
> Thank you,
>
> John Pursglove
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

John,

You may have to rethink your design.

1. You should have a single path out to the internet. Currently it seems
that both the Firewall and the Main Router have internet ip addresses and
you're trying to get your clients to pick one. It is not advisable for the
clients to have 2 gateways.

2. The routers on your private subnets will probably need to have a gateway
to the NAT/Firewall.

3. The clients on the private subnets should not require any additional
configuration.

4. You will probably have to set up routes, (if you're not using a dynamic
routing protocol) on the firewall to get back to the Private subnets -
similar to the ones that you probably currently have on your Main Router.

Your setup probably needs to look something like this -

--(Internet)------|Main Router|------|NAT/Firewall|-----------|Private
Router|--------------|Private Clients|----

What this means is that you either have to change the addresses on your Nat
Firewall and Main Router to something as follows:

Main building

Router 209.204.5.1(external nic)

192.168.0.1 (internal nic)

Firewall/NAT 10.0.16.2 (private nic )

192.168.0.2 ('public' nic)

Gateway 192.168.0.1



Or something like

Main building

Router 209.204.5.1(internal nic)

209.204.6.1 ( (external nic)or some other internet address - depending on
the availability)

All the serial connections 10.0.8.x


Firewall/NAT 10.0.16.2 (private nic)

209.204.5.2 (public nic)

Gateway 209.204.5.1



I hope this gives you some help.



Louise Bowman

MSFT


--
This posting is provided "AS IS" with no warranties, and confers no rights.
"John Pursglove" <spamjp@pennsauken.net> wrote in message
news:Xns952677A1AC422jpursglovepennsauken@207.103.26.26...
> Have been searching google but have not found a similar question posted.
>
> We have a Private wide area network connected via ATM. There are 13
> buildings each with a router. Each building has there own subnet and DHCP
> server. All the routers connect back to main router via ATM through
> serial ports and I believe PVCs. Connectivity between buildings is
> working very well no problem pinging addresses or DNS names outside of
> any building. The main router is connected to our ISP and also a LAN in
> our admin building. The main router internet connection is connected to a
> switch along with the firewall external NIC. The other ethernet port is
> connected to another switch which is connected to the internal NIC of the
> firewall and all the client computers. I am currently trying to setup a
> firewall with NAT at our main location with the Internet connection for
> all clients in all buildings to connect to the Internet. Here is a quick
> overview of my setup and more on my problem below that.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++
> Subnetmask 10.0.0.0/21 255.255.248.0
>
> Routers - serial connection over ATM
>
> Main building
> Router 209.204.5.1
> 10.0.16.1
> All the serial connections 10.0.8.x
>
> Clients are configured via DHCP
> 10.0.16.52-10.0.23.254
> gateway 10.0.16.1
> mask 255.255.248.0
>
> Firewall/NAT 10.0.16.2
> 209.204.5.2
> Gateway 209.204.5.1
>
> Example Remote Subnet
> Gateway 10.0.24.1
> Mask 255.255.248.0
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> The Firewall running NAT works fine in the main office location where the
> server is part of the LAN, only if I set the clients gateway to
> 10.0.16.2. I have not had much luck entering 2 gateways on the client. I
> know I should add a route but to where and what would the route be. Also
> should the clients be configured to use multiple gateways.
>
> Then my remote subnets also need to be able to get seamless internet
> acces via the firewall running NAT. What route and gateway modifcations
> should be made here.
>
>
> Thank you,
>
> John Pursglove