This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Securing a network with all public IP's without a DMZ

We have got here a network with all static, public IP addresses. Our network looks like this: xxx.yyy.zzz.192 with subnet 255.255.255.192.
I installed ASL on a spare PC, gave xxx.yyy.zzz.194 to the eth0 and everything went well so long. Now I want to configure ASL and try to set up the second interface. I tried to assign xxx.yyy.zzz.195 with subnet 255.255.255.192, but WebAdmin says: "An interface for the IP range 213.69.86.192/255.255.255.192 already exists!" How can I solve this? We cannot assign private IPs to our machines in the network. How should I configure ASL to work as a firewall for our net with all static IPs? We don't have a DMZ and do not need one, so the solution in the ASL-FAQ is not helpful to me. Or is it and I didn't understand it right?
Thanks for your help. I wanted to set up the ASL box tomorrow, so quick hints or help would be fine.

Thx!

Marek

This thread was automatically locked due to age.

Parents

0 tom_01 over 23 years ago
hi marek,

first of all, you cannot assign the same network to two different interfaces, because this results in a routing conflict. (this is not ASL specific).

I see your problem. What I would REALLY recommend is to talk to your ISP in order to get a transfer network between your Router (or "Gateway") and the ASL (firewall) box. This would be the cleanest solution.

If that does not work, we'll have to work around this problem like this:

Now, enable Proxy ARP on the external ASL interface.

Then clients in the LAN get .224 as netmask and use the .225 as default gateway.

like this, you have split the 64 IP network in two parts with 32 IPs each. The "lower" part is used as the transfer network, the "higher" part as LAN IP space. We work around the routing problem with proxy ARP.

I will compile a FAQ howto on this problem, as it seems to be pretty popular ...

/tom
Cancel
Vote Up 0 Vote Down

Cancel
0 Marek Luthardt BPS over 23 years ago in reply to tom_01

quote:
Originally posted by tom:

I see your problem. What I would REALLY recommend is to talk to your ISP in order to get a transfer network between your Router (or "Gateway") and the ASL (firewall) box. This would be the cleanest solution.

Ok, this seems to be the only solution. Dividing our network into to 2 equally sized subnets is not possible because we already use more than 32 IP addresses, so that a 32-host-subnet would not be enough. Dividing it into a smaller subnet with only some ip-adresses and a bigger one with the rest didn't work. Seems this is not possible with the IP-implementation.

So if our ISP does assign us a transfer network, how do I have to set up the ASL-box? The FAQ-solution is not clear to me because of the DMZ (which we don't want to use) and the private IP's.

Thanks in advance for any hints.

Marek [:S]

[ 15 August 2001: Message edited by: Marek Luthardt, BPS ]
Cancel
Vote Up 0 Vote Down

Cancel
0 tom_01 over 23 years ago in reply to Marek Luthardt BPS
with a transfer network: very simple and clean:

a.a.a is your old network, which you can fully use in the LAN like you do now.

x.x.x is the new transfer network assigned to you by your ISP. It is very small (2 useable IPs).

Your ISP must add a route to the router to send the a.a.a network to the ASL box (x.x.x.zzz).

This would be the best possible setup for your scenario.

/tom
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 tom_01 over 23 years ago in reply to Marek Luthardt BPS
with a transfer network: very simple and clean:

a.a.a is your old network, which you can fully use in the LAN like you do now.

x.x.x is the new transfer network assigned to you by your ISP. It is very small (2 useable IPs).

Your ISP must add a route to the router to send the a.a.a network to the ASL box (x.x.x.zzz).

This would be the best possible setup for your scenario.

/tom
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Marek Luthardt BPS over 23 years ago in reply to tom_01

Wow! Very quick answer ...

Ok, now I understand. The message to the ISP is on the way.

By the way: Great work!

Marek
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris Kelley over 23 years ago in reply to Marek Luthardt BPS
I thought this particular thread was close to my scenario and provided some great tips, so I thought I would pose my question here.

I would like to place a firewall between my router and my network. Our ISP gave us a range of public IP addresses (x.x.x.0 - x.x.37.63/255.255.255.192) and we would prefer not to use private IP's. We do have control of our Cisco router; therefore, we can create a transfer network if necessary..

This is the network config I am proposing, based upon reading the astaro docs and discussion forums:

Add a route to the router to send our LAN network (x.x.x.4/ 255.255.255.192) to Firewall Ext. Interface (x.x.x.2)

Internal network:

LAN Internal Interface - x.x.x.5

A barrage o' questions: Are these subnets correct? Would I still use the subnet mask 255.255.255.192 for the internal network, even though it is less than 64 IP addresses available in that subnet? Is it necessary for me to create the external transfer network? Would it be better for me to construct a bridging firewall? Does Astaro support bridges? We host our webserver and Exchange (groan) server on our LAN network, and I don't want to change any IP addresses. Ideally, I would like to drop a firewall between our router and network, and not have to touch the router.

Many thanks in advance for any pearls of wisdom.

Regards,

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Ziegler over 23 years ago in reply to Chris Kelley

hi chris,

sorry, but that won't work, cause you can't do subnetting that way.
you should ask your ISP to provide a transfer network (/30) and configure your router and ASL like Tom described it above.

bye,
michael
Cancel
Vote Up 0 Vote Down

Cancel