Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Subnetting IPs for Public IP DMZ Use
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Subnetting IPs for Public IP DMZ Use - 16.Oct.2006 3:42:58 PM
|
|
|
morcutt
Posts: 2
Joined: 16.Oct.2006
Status: offline
|
Well, I have to confess that this is more of a TCP/IP question vs. a ISA 2004 issue, but the context of what I need to do related to the ISA server seems to make this a good place to start.
We are currently replacing a firewall appliance with an ISA 2004 server with multiple NICs for multiple zones. One of the zones will be an anonymous DMZ zone that will have public IP addresses assigned to the servers in this zone. Our understanding, from reading the articles on this site, is that we need to have a block of public IPs that are subnetted at our router to have one address assigned to ISP router-facing NIC and the IP addresses that are assigned to the DMZ must use the IP address of the ISP router-facing NIC as the default gateway. We understand that the ISP router (a Cisco 1700 series provided by the ISP) must have a routing table that reflects this configuration (DMZ IPs using the router-facing NIC IP address as their default gateway). Due to our ignorence when it comes to proper IP addressing, this is, apparently, about all we understand.
There is only one router (Cisco 1700) in our environment and it is the SPE (Customer Provisioned Equipment) provided by our ISP. Thus, any changes to the router's routing table will need to be done by the ISP, but in order to instruct them as to what is needed, we need to be fairly specific. Today we have a block of 32 address (/27) and our suspicions are that, if we try to subnet the block to provide a public IP on the firewall's router-facing NIC, we can't do so and have 29 (since the /27 only provides 30 usable addresses) usable public IPs available for the DMZ - our understanding is that subnetting doesn't work like that. Instead, we're assuming that the block would have to be evenly split between two subnets, creating two blocks of 16 IPs (two /28's), leaving only 14 usable addresses for the DMZ servers and wasting a bunch of IPs for the first subnet that only needs one IP assigned to the firewall's router-facing NIC. Is this assumption correct? If it is, it seems like we need to increase our block of assigned IPs, subnetting a larger block to meet our DMZ needs (14 unique addresses isn't sufficient) and wasting a bunch of IPs. That is not really a popular idea with our ISP.
Any thoughts that anyone could provide would be greatly appreciate. I apologize in advance for my limited TCP/IP addressing knowledge and for, perhaps, completely misinterpreting this whole setup.
_____________________________
Thanks,
Marc
|
|
|
|
|
RE: Subnetting IPs for Public IP DMZ Use - 17.Oct.2006 9:20:10 AM
|
|
|
Guest
|
Hi Mark!
Well that sounds like a tricky one!
first if you take a look at you ip address block you can see that this block was already subnetted since you have a subnet mask of /27.
so in order to further subnetted you need to use vlsm.
this might be an issue reagarding your ISP.
but even if your are using vlsm you cannot subnetted in blocks larger 16-2=14 host per subnet(with vlsm you will not waste ip addresses).
so there isn't any walk-arround here with subnetting since you do need more than 14 hosts per subnet.
why need subnetting?
because you will need to direct traffic from isp router to your dmz.
so if you will stick to this design you will need a large block of ip addresses.
or you can use a "rival product" to do the trick without subnetting. however since ISA is such a great firewall it is possible that later to miss some features of it.
it's like in real life: you simply can't have them all in one piece.
so before of any risky moves may I ask you why do you have such a large number of dmz anonymous hosts and why do you need for every one of them a public ip address?
there might be a solution arround the corner but it's all about your network design.
< Message edited by adrian_dimcev -- 17.Oct.2006 9:50:00 AM >
|
|
|
|
|
RE: Subnetting IPs for Public IP DMZ Use - 17.Oct.2006 9:51:32 AM
|
|
|
morcutt
Posts: 2
Joined: 16.Oct.2006
Status: offline
|
Adrian - thanks for the reply.
I guess the reason I'm inquiring about creating two subnets is I was trying to address the issue addressed in Tom Shinder's article about publishing servers on ISA with a public address segment. My understanding from that article was that two subnets were needed - one for the External NIC and one for server addresses on the pubic address DMZ segment, with the upstream router treating the IP address of the External NIC as the gateway for the DMZ IPs. You're correct in that we already have a subnet of a class C. I can get a larger block of IPs (/26), but I don't want to do that if half of the IPs have to be assigned to the External NIC, where I only need one address there. With the old firewall appliance that we have today (Sonicwall Pro 300) this situation wasn't necessary - if you were using public IPs on the DMZ the firewall was able to direct traffic between the External NIC and the DMZ addresses - but of course there are other limitations with the firewall and hence our implementation of the ISA server.
I haven't looked into the Cisco ASA, but that may get a bit pricy.
We use a fair amount of public IPs as we are a Web application development and hosting company (many of our clients host with us after we build their applications). Thus we have Web, mail, and FTP servers. We also host some Live Communications Server services, VPN, etc.
I guess our concept of having public IPs on the DMZ may be a lack of acceptance that we could assign all of our IPs to the ISA's External NIC and simply use private IPs in the DMZ as long as we could publish all of the services that we use. Maybe we're still emotionally attached to the old school technique of public IP DMZ's. We also planned some reverse proxy servers in the DMZ that would direct traffic to Web or other types of servers in another zone, but it doesn't appear that using public or private IPs in the DMZ would matter with that.
My impression is that we are far better off with private IPs in the DMZ and simply have to plan to redo our addressing scheme as we move servers to the new ISA server. Would you agree?
_____________________________
Thanks,
Marc
|
|
|
|
|
RE: Subnetting IPs for Public IP DMZ Use - 17.Oct.2006 10:09:11 AM
|
|
|
Guest
|
well, I do recommend the use of private ip addresses in dmz for many reasons.with isa you can easy create some publishing rules and have it set quickly.
but sometime nat becomes tricky with some application.
however this remains to be seen within your network.
the private ip addressing is good because if you use a big block of public ip addresses the price of ISP connection becomes ......
yep that cisco can do the trick but....
I preffer to not comment that here.
I supposed you can give it a go with private addressing in dmz.
I'm pretty sure that ISA will resolve this just fine!
about the subentting needed on ISA: the problem is if you have a router it cannot have two interfaces on the same subnet. to allow this you will have to set the interfaces in "bridging mode". the router must support this. on a firewall things may become more complex since you need advanced filtering options. it can be done in some firewalls and it is called "transparent firewall". on ISA microsoft states:
quote:
There cannot be two network adapters in the same subnet
Good luck!
< Message edited by adrian_dimcev -- 20.Oct.2006 9:39:19 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
