Re: FIREBOX II IP CONFIGURATION
From: Leythos (void_at_nowhere.com)
Date: 08/17/03
- Next message: Andy: "Digital signature and Digital Certificate"
- Previous message: Jacobo Jajati: "Re: FIREBOX II IP CONFIGURATION"
- In reply to: Jacobo Jajati: "Re: FIREBOX II IP CONFIGURATION"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Aug 2003 04:56:24 GMT
Sorry for top posting:
I have a FB II with 5 IP and configure it as follows:
Public: 200.000.0.0/29 (not my real set either)
Trusted: 192.168.5.0/24
Optional: 192.168.3.0/24
You have it correct partly - you put the workstation in the Trusted
network and the public accessible systems in the Optional network.
You have to configure the Interfaces as follows:
External (Static - enter your information)
Trusted: 192.168.5.2/24
Optional: 192.168.3.2/24
The firewall will exist at the .2 address and the firewall will allow
you to route traffic from the 192.168.5 to .3 without needing to do
anything.
You need to map the ports you want to forward from the PUBLIC IP address
to the correct subnet nat address
Ex: If your web server is in the DMZ at 192.168.3.100 you need to create
a HTTP rule that does INCOMING 200.0.0.0 > 192.168.3.100
Now, since the web server has a real DNS entry, and unless you have your
own DNS server, you will have to make a HOST entry for the web server or
domain name.
This is the part you are missing: You will also need a rule that allows
ANY traffic from the Trusted to the Optional network, but block ANY from
Optional to Trusted. The firewall will not NAT traffic from inside the
Trusted interface out through the External Interface and then back into
the External Interface and then forward it to the Optional Interface. No
NAT does this, at least not the one's I've been using. Unless you have
your own DNS server you will have to have HOST entries that map
yourdomain.com to 192.168.3.100 or they won't reach it.
The same rules that allow the external users to find the internal server
have to be configured to allow the trusted users to see the optional
users interface.
I would also suggest that you change your IP Ranges from 192.168.0 and
192.168.1 to something higher - most NAT Routers use those two subnets
and when people VPN into your network it may cause you problems.
If you have an internal DNS server you can create records that point
your users to the private IP addresses in the DMZ and not have to mess
with HOST files.
Mark
In article <988e3b54.0308162037.137ee9ac@posting.google.com>,
jacobo.jajati@rca-net.com says...
> Ok here goes the dilema
>
> i have only ONE public IP, it aint going to happen eny other way. I
> have to Port forward the services to my network. 1 to 1 nat requiers a
> hole subnet
>
> EXAMPLE
>
> Trusted=192.168.0.254
> 192.168.0.1-192.168.0.254 local user group
>
> Optional=192.168.1.254
> 192.168.1.1-192.168.1.254 servers and switches
>
> external=200.39.200.254 (sorry obviusly not my public IP)
> W
> eb server 192.168.1.1 Filter rule, 200.39.200.254:80 to 192.168.1.1
> Mail Server 192.168.1.2 filter rule, 200.39.200.254:110 to 192.168.1.2
> DNS server 192.168.1.3 Filter rule, 200.39.200.254:53 to 192.168.1.3
>
> i just cant seeam to have my trusted network see my optional network
>
> Im not includig ports or mor compelc info since most of us already
> know the ports and how they work.
>
> thanks in advanced
>
> JJG
>
> "Atari_mark" <not@telling.com> wrote in message news:<3f3e12ac$0$249$fa0fcedb@lovejoy.zen.co.uk>...
> > You can do what you want but look at one-to-one NATs, you will need some
> > kind of address that is routable to be able to NAT to the Optional interface
> > devices.
> >
> > I have done something similar for a Council.
> >
> > Yes the manual is a waste of time!
> >
> > Mark
> >
> > "Jacobo Jajati" <jacobo.jajati@rca-net.com> wrote in message
> > news:988e3b54.0308142124.5e9a1330@posting.google.com...
> > > Hi all
> > >
> > > Im installing a firebox with a single IP: here gose the setup
> > >
> > > External: 200.200.200.x
> > > Internet: 192.168.0.254/24
> > > Optional: 192.168.1.254/24
> > >
> > > Im Running
> > >
> > > VoIP PBX 192.168.0.253
> > > Cisco 2924: 192.168.0.252
> > > Cisco 2912: 192.168.0.251
> > > Linksys wireless AP: 192.168.0.250
> > > WEB DNS: 192.168.0.1
> > > EXCHANGE DHCP: 192.168.0.2
> > > SQL: 192.168.0.3
> > > POP, IMAP, SMTP (pubic client use): 192.168.0.4
> > > PPTP DIALING 192.168.0.60/30
> > >
> > >
> > > AL services are NAT (Port mapping) from my Public IP to my internal
> > > network (except exchange, overlaping service ports with public mail
> > > server)
> > >
> > > I woudl like to have my serices on the optional interface on the FB
> > > II. Is this posible using Blackhole IPīs, or do i need public routable
> > > ips for eache server.
> > >
> > > I will also be installing a cisco cache engine 500 in the following
> > > days. I would like to include this in the network config
> > >
> > > I would like to put all SERVERS, NETWORKING EQUIPMENT in the DMZ using
> > > 192.168.1.0/24 Can someone help me figure this out. I understand the
> > > OPTIONAL port is a DMZ xone but i still cant figure out how i can map
> > > ports to the DMZ interface, CANT USING FIREBOX CONFIG GUI.
> > >
> > > THanks in advanced for all the help
> > >
> > > P.S. Hae been through the manual....not there.
>
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: Andy: "Digital signature and Digital Certificate"
- Previous message: Jacobo Jajati: "Re: FIREBOX II IP CONFIGURATION"
- In reply to: Jacobo Jajati: "Re: FIREBOX II IP CONFIGURATION"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
