Re: DMZ Configuration

From: Jeremiah Kristal (jkristal@NOSPAM.nyc.rr.com)
Date: 12/19/02 

From: Jeremiah Kristal <jkristal@NOSPAM.nyc.rr.com>
Date: Thu, 19 Dec 2002 13:01:13 GMT

On Wed, 18 Dec 2002 18:09:50 +0100, "Old_Stove"
<cbcbcbcb@nospam.katamail.com> wrote:

>Hi all,
>I have a netscreen 25.
>
>I have an internet connection on a leased line, and we have 32 IPs assigned
>by our internet provider.
>
>The FW is now configured in nat mode.
>It has on the untrust interface a public ip (1 of that assigned by our
>internet provider).
>On the trust interface it has a private ip.
>One machine on the private network it's mapped with the ip of untrust
>interface and it can be correctly reach by internet on the mapped ip.
>
>Now i have to put on internet another machine but i need to leave this
>machine with its public ip (1 of that assigned by our internet provider) so
>i would like to use the DMZ.
>
>The problem is that when i try to assign a public ip on the DMZ interface
>that is on the same network of the untrust interface i have an error.
>
>Is it possible to assign on untrust and DMZ interfaces 2 ip's of the same
>net?

It shouldn't be. Break your netblock into two netblocks, assign an IP
from one netblock to the untrust interface, and an IP from the other
netblock to the DMZ interface and you should be happy.
>
>What should be the right architecture?
>
>Use DMZ is the right way to put this machine on internet with a public ip?

Yep.
>
>Tks in advance.

OK, since you have 32 addresses, you have a /27, which is another way
of saying your subnet mask is 255.255.255.224. Let's assume that your
existing netblock is 213.199.5.0/27 (taken from your posting IP).
That would mean that you have the addresses between 213.199.5.0 and
213.199.5.31. You can't use .0 or .31, because they're the network
and the broadcast address respectively, so you really have 30
addresses to work with.
What you want to do to get the DMZ working correctly is to break your
netblock into 213.199.5.0/28 and 213.199.5.16/28. You now have two
blocks of 16 addresses (only 14 usable in each block). Assign IP
addresses from different blocks to DMZ and Untrust, and proceed with
your filewall config.

Jeremiah

P.S. To the person who said that the inability to do what you tried
is a reason to stay away from Netscreen, please please please get a
clue about routing before you spread further nonesense.

>Cesare

Relevant Pages

  • RE: Back firewall wont pass traffic...
    ... know what the address range of the DMZ is supposed to be. ... the ISA treats your other interface as external. ... network to be routed to the gateway on the DMZ and on to the internet. ...
    (microsoft.public.isa)
  • Re: [fw-wiz] PIX access-list help
    ... if you want access to the internet to from any interface you need to ... outside, inside, dmz. ... dmz can talk to the internet just fine and the inside can talk to the ... inside mail server I no longer have communication to the internet from ...
    (Firewall-Wizards)
  • DMZ Question with 2 internet connections
    ... I'm looking at setting up a DMZ for the first time and I need some ... I have a connection to the internet that gives me a public IP address ... for my webserver, I'll be adding a separate database server to talk to ... interface for internal net ...
    (comp.security.firewalls)
  • Re: DMZ Configuration
    ... static NAT through to the machine on the DMZ from the firewall. ... We always had to use a seperate private IP address and use the ... >> I have an internet connection on a leased line, ... >> It has on the untrust interface a public ip (1 of that assigned by our ...
    (comp.security.firewalls)
  • Re: Problem configuring NAT to share Internet Connection
    ... One of my NICs in the server connect to a DSL ... modem and it connects to internet. ... > interface, that connects to the DSL modem, LAN interface, that connects to ... >> 7.- To connect server to Internet, I create a new network connection. ...
    (microsoft.public.win2000.ras_routing)