Configure Cable Modem with Multiple IP address block (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General



Message


jbonczek -> Configure Cable Modem with Multiple IP address block (13.Feb.2012 9:53:43 AM)

Hello All!

i have an interesting configuration scenario.

TMG configured as Edge Firewall.
NICs: 1 internal, 1 external

External NIC connected directly to Cable Modem.

We want to expand our use of this server, so we have requested additional IPs from our ISP.

This is what they have told me with respect to configuring our TMG NICs...

-----------------------------

Cable Modem MAC: ffff.ffff.ffff
Your static IP is: xxx.yyy.zzz.123

The additional IP block is:
Network: xxx.yyy.zzz.248 /29
Subnet Mask: 255.255.255.248
Start: xxx.yyy.zzz.249
End: xxx.yyy.zzz.254

I will need you to configure an IP from this block to an INTERNAL interface; I would suggest using the first usable IP of xxx.yyy.zzz.249. This IP will then act as the gateway for the subnets traffic.

-----------------------------

I'm got a decent understanding of network concepts and configurations, however this just escapes my grasp! Can anyone help me understand how to configure my TMG server?




pwindell -> RE: Configure Cable Modem with Multiple IP address block (15.Feb.2012 2:58:15 PM)

And probably no one else is going to understand it either. The ISP is the only one who can explain it to you. They are the only ones who understand (hopefully) how they designed their equipment to work.

Although CableTV ISPs attempt to market themselves as Business minded services,..they are not. That is the difference between marketing (aka "How can we fool them today") and real life. CableTV Internet systems are designed around a "home-user" mentality and their equipment, and the technological methods by which they operate do not lend themselves to doing things "the business way".

Most likely you will have to add all the IP#s tot he External Nic of the ISA and then use Publishing Rules to make use of them after that. It will probably be impossible to make other pieces of equipment be physically on the "Public Side" with Public IP#. Everything will have to be on the Private LAN and then Publish them through the ISA, with the ISA being the only thing with a true Public Interface on the Public Side.

Also note that there is a huge amount that you can do with just one IP# (when doe properly). So many times having more than one IP# is completely unneeded. So you could save money by going back to one IP#.




pwindell -> RE: Configure Cable Modem with Multiple IP address block (15.Feb.2012 3:11:07 PM)

quote:

ORIGINAL: jbonczek

Cable Modem MAC: ffff.ffff.ffff
Your static IP is: xxx.yyy.zzz.123

The additional IP block is:
Network: xxx.yyy.zzz.248 /29
Subnet Mask: 255.255.255.248
Start: xxx.yyy.zzz.249
End: xxx.yyy.zzz.254

I will need you to configure an IP from this block to an INTERNAL interface; I would suggest using the first usable IP of xxx.yyy.zzz.249. This IP will then act as the gateway for the subnets traffic.


I can't suggest or interpret anything when you fake the IP#.  The actual IP#s actually do matter in figuring things out.  They are Public IP#s,...with the emphasis on Public,...meaning there anything secret about them,..the whole point of Public IP#s is that the Public knows them,...so they can connect to them.

Anyway,...is this ISP,...Comcast?
If so what they are saying only works if you use their Firewall that they place on your premisis. It is a simple Home-User NAT Firewall built by SVC that they refer to as a "Comcast Business Gateway".  Yea, "business",...it's that marketing thing again.

But again,..the ISP is the only one that can really make sense of this,...there are just too many convoluted ways that these CableTV (and DSL) Internet setups are designed.




achim87 -> RE: Configure Cable Modem with Multiple IP address block (1.Aug.2014 2:51:46 PM)

This is a pretty simple routing scenario actually, what you need is a border router.

I am posting this for the benefits of others in the future because many people seem confused about how a traditional or "real router" works, which is 100% different than what your Linksys or Dlnks does, those are more of "translators" than "routers".


This can be done using free software, or in Windows Server RRAS or a hardware Cisco Router. Cisco routers are pretty cheap nowadays, you can probably pick a decent one up for under $150 on Ebay. The 1800 series would be a good fit for your needs.

What you will need to do is to configure two interfaces, they both would be public and will NOT USE NAT/PAT!

Simple Diagram:

[ISP]-----[Modem]--S1--[Cisco Router]--S2--[Customer IP Block]---[ISA Server/Firewall]--S3--[NAT/PAT PRIVATE Addresses]

S1 (Segment 1) is the network where single static IP assigned to you from your ISP will go. Lets call this interface "eth0"
S2 (Segment 2) is the network of your additional IP BLock
S3 (Segment 3) is the internal network behind your TMG/ISA Firewall with Private RFC1918 Addresses, ALL Natting / PATting will be between Segments 2 and 3, the border router only does "real routing", 100% public addresses no NAT/PAT at all.

***This is where the confusion comes in because home user/consumer routers are not really routers, they are merely nat/pat "translators"***

Configuration of the Border Router would be something like this:

eth0: 142.233.46.123 255.255.255.0 (which is a /24)
eth1: 69.212.33.249 255.255.255.248 (which is a /29)
ip route 0.0.0.0 0.0.0.0 142.233.46.1 (which is a static route pointing to the default gateway of the ISP on Segment 1 or eth0)


(The ISP will have a static route on their router pointing to you, so on THEIR end they will have this statement pointing to the IP Address on your Segment1 eth0 interface IP: ip route 69.212.33.249 255.255.255.248 142.233.46.123)


Now on your firewall or any other device you will assign the external interface to anything in the range of: 69.212.33.250 - 69.212.33.254, in our example:

IP: 69.212.33.250
Mask: 255.255.255.248
Gw: 69.212.33.249 (Yes! We are hosting our OWN external default gateway, most consumers would assume the first hop will be the ISP, but not in this case!)

You may then add 69.212.33.251 to 69.212.33.254 to a 1:1 NAT IP Pool or assign other devices to those IPs as necessary. You may even run your own DHCP Server on eth1 assigning out public routable addresses, as if you are running your own ISP!

Here is what a traceroute from a client BEHIND/INSIDE your Firewall would look like:

1. 10.0.0.254 <<--- ISA Server [Segment 3]
2. 69.212.33.249 <<--- Your Border Router [Segment 2] **Your cable modem sits between hops 2 and 3**
3. 142.233.46.1 <<--- Your ISP's Gateway [Segment 1]
4. <Whatever Path to your destination>

A Traceroute from the internet to your routed subnet:

x. <ISP and Internet Cloud> **Your cable modem sits between hops x and 2**
2. 142.233.46.123 <<--- Your Border Router [Segment 1]
3. 69.212.33.249 <<--- A device on your routed subnet i.e. Firewall [Segment 2]
============================
4. 10.0.0.123 <<--- A host/server on your internal network behind your FW [Segment 3]

A routed subnet allows flexibility of porting IP Addresses. In fact as in the example above, you can even set private addresses on additional routers (although not recommended by regularly practiced by many ISPs due to shortfall of IPv4 Addresses anyways) between hops 2 and 3, perhaps a VPN tunnel, which will allow your IPs to be ported to and used at another location, even as far as in another country half way around the world!

Hope this clears things up!!




Page: [1]