Re: Question on IP address migration and firewalls

From: Tony Whitmore (tony_whitmore@nospamhotmail.com)
Date: 09/19/02 

From: "Tony Whitmore" <tony_whitmore@nospamhotmail.com>
Date: Thu, 19 Sep 2002 17:12:00 +0100

Hi Charles

The solution will depend on how much traffic you are expecting. If you only
get low rates of traffic, then you may only need one public IP address.

If would be possible to use a single box as a firewall and use
port-forwarding on that box to redirect incoming connections to the
appropriate server. For example, you could run a web server, e-mail server
and FTP server on different physical machines, configured with private IP
addresses (i.e. not accessible directly from the internet). You could then
use port-forwarding on the firewall box to direct requests from your public
IP address to the appropriate server based on the port connected to at the
public IP address. If you used a firewall product with a DMZ, your servers
could be made externally accessible and all your workstations could access
the internet through one public IP address. However, you may find that if
your servers are remotely busy that the performance hit is unacceptable. In
this circumstance, splitting between a public IP address(es) for your
server(s) and a public IP address(es) for your private network connectivity
is sensible.

As for whether you will need to change the IP addresses of servers outside
the 1-32 range will depend on whether your new service provider will lease
you the current IP address or not. If not, then you'll need to change the IP
address to one that you are authorised to use. Only your ISP can answer that
question.

Don't feel guilty about having unused IP addresses - although they are
becoming scarce, you are by no means the worst offender. I used to work at a
Higher Education college in England which had all of its workstation
machines on public IP addresses, at least 5000 of them. There was no reason
for this, as none of them needed to act as servers on the internet. When I
queried this use of public IP addresses on insecure (unpatched Win95)
machines the response was "but you need to have a public IP address for a
computer to access the internet". The ISP must have been laughing all the
way to the bank...

Cheers,

Tony Whitmore

"Charles Woolever" <talk@existingstations.com> wrote in message
news:c413e4f1.0209190655.72633dee@posting.google.com...
> Sine the company I work for started with Internet access several years
> ago, we have had a firewall (Sun 's SunScreen) and a range of public
> IP addresses from x.x.x.1 to 127 given to us by our service provider.
>
> We changed service providers (a smaller one) and were told that IP
> addresses were more scarce now and that they needed to make sure that
> the range of IP addresses they give out is just enough to cover the
> need. Meaning, we had several servers with static IP addresses within
> the 1-127 range along with the IP address that the firewall sent
> everything out as, but we weren't using 127 addresses.
>
> Now we need to reduce our public IP range from 1-127 to 1-32. Our
> firewall does NAT. I guess I have no idea where to start. Do we need
> to start changing IP addresses for some of the servers whose IP
> address falls outside the 1-32 range? Meaning, we have a mail server
> that is .40, do I need to change that to something under 32? Then once
> all of the public IPs were are using (web, mail, etc) are in 1-32,
> just put the new range in the firewall? I can program the firewall,
> just not sure how I approach reducing our IP address usage.
>
> Any help you could give, I woudl appreciate. Thanks.
>
> Charles

Relevant Pages

  • Re: Firewall on a single NIC SBS2003 Standard edition
    ... Frank McCallister SBS MVP ... > " Well, if you're wanting to run the firewall on a single NIC, you aren't ... Don't ask the server to do *everything*, ... > internet traffic from the workstations don't have to go through the SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet on nodes
    ... I stopped the Firewall in SBS and could upload ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... the server as Paul envisaged it. ... gateway (to the Internet through the NIC connected to the Sonicwall DMZ ... NICs should not have default gateways configured for both. ... DMZ ports of any firewall, is an alternative path that cause great ...
    (microsoft.public.windows.server.networking)
  • Re: Collection of email
    ... server 2003), and FTP support, and a few other things as well. ... I think you are using ISA as your firewall. ... I don't think you have that option, though is your internet connection ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: XP/SP2 Firewall über W2K GPO deaktivieren
    ... Weil es einen zentralen Zugangpunkt zum Internet gibt und dieser geschützt ... Dafür sorgt der Proxy Server für die Mitarbeiter. ... Meine Clients haben auch keine lokale Firewall installiert, ...
    (microsoft.public.de.german.win2000.gruppen_richtlinien)