CISCO827H: Need help with network layout puzzle please

[Silencerr]

Hey,
Please let me know if this is a wrong forum to post in.

My company is planning to switch the business ADSL ISP in the very near future and the big difference is that we only get 5 static registered IPs when we had 32 before. So now I'm wondering what would be the best approach to deal with this and I would really appreciate some help since I'm no guru in network design at all.

Here (

http://members.shaw.ca/popov/networklayout.gif)

is a quick diagram that represents the requirements (it's wrong design-wise though). As you can see we have:
- two computers that have to have registered IPs
- two groups of other computers that would need only selected services forwarded through defined ports (x.x.x.x represents static registered IPs provided by the ISP). They are combined in two groups to be able to forward a given service to more than one NATed computer.
Obviously as far as my knowledge goes this will work as far as the picture is concerned, however the problem is that basically all these computers are joined together as a domain and they need to be able to communicate with each other without limits, which isn't possible given this diagram (right?).

This is way out of my leage (I'm a developer not a network admin) and I would really appreciate if guys could help me out here. I can always FedEx ya some beer if it all works out

Thank you!

 

[ChrisAC]

"and they need to be able to communicate with each other without limits, which isn't possible given this diagram (right?)."

How do you mean! What's stopping them from communicating?

Chris.
************************
Chris Andrew, CCNA
chris@iproute.co.uk
************************

 

[Silencerr]

Looking at this picture I don't see how
-PCs with registered IPs will be able to get to PCs with non-registered IPs (x.x.x.2 -> 192.168.1.100)
-PCs with non-registered IPs from one router will be able to get to PCs with non-registered IPs from another router (192.168.1.100 <-> 192.168.1.103)

Could you please explain how the routing will work if my understanding is incorrent? Thank you!

Also from what I found today about the Cisco 827 that the ISP is providing us with, it looks like I might even be able to do the multi-NAT and drop those two routers from the picture right away, leaving all PCs connected directly to the switch and just setup appropriate routing schema on the Cisco box. Is this possible?

 

[rburke]

What you can do is setup all your PC's on NAT, but then use static global IP to internal IP mappings to your specific servers. That was your workstations are protected from direct access, and the server that need the public IP's will be accessable to both the outside *real* internet IP's and the private in-house IP's. You can either use a router with firewall IOS installed or a PIX fireall to do this. Or you could use other firewall applications.... Really it just depends on what you want to do. But to do what you want it would be best to use the static global to private IP's for your servers that need public IP's and NAT for hte rest of your workstations. Hope this helps...

Burke

 

[ChrisAC]

Burke's got it exactly right! All the nodes on your network should all have private IP addresses. You can then use whatever scheme you like and either have a routed internal network or just put them all on a singal segment.

For external access to machines on your network you should be NATing through a firewall. Never configure actual live addresses on those machines. The firewall should have total control over access to those boxes. NAT the private address to a global address from your range and apply rules on the firewall to limit services to those IP addresses.

Good luck.

Chris.
************************
Chris Andrew, CCNA
chris@iproute.co.uk
************************

 

[goralka22]

I am actually trying to solve very similar problem in almost identical environment: CISCO 827 ATT ADSL with 5 IPs, access from outside and so on...
I think the NAT solution sounds OK but I don't seams to understand why not to use one of the assigned &quot;real&quot; addresses behind the firewall, through NAT for the internal subnet and use remaining &quot;real&quot; addresses for outside servers, on the DMZ subnet (in front of the firewall).
CISCO 827 has some firewall build in doesn’t it?

Jan

 

[rburke]

goralka22,

That is a perfectly good answer to the problem too. Really there are lots of answers. The only problem I see with your solution is that it would require more hardware. In order to implement a real DMZ you would need a real firewall(PIX series, SonicWall, FireBox, etc) wit hat least 3 interfaces(inside, outside, DMZ), and not just IOS with firewall software. You could implement a software DMZ through access-lists, but it would be taxing on the router it self. The reason I suggested the NAT with static mappings to public IPs for the servers is because it then is global and there is not as much configuration, and no more hardware to buy. But like I said earlier, there are an endless amount of answers to this problem, you just have to pick one and implement it. Hopethis helps....Let me know...

Burke

 

[marsd]

Actually, all you need is a dedicated firewall with two interfaces and as many subinterfaces as you want. The access
router you mention is okay I guess for basic filtration but it's no firewall.

I've used linux with iptables in similar situations
and hung multiple isolated dmz style nets off of an aliased internal interface. It is very flexible.
This is OT I know but there is really no need to go whole
hog with some commercial firewall appliance when free
software does the job better.

my .02 cents

 

[goralka22]

rburke,
Thanks, it does help, but if you could clarify a little more why IOS is not sufficient for creating DMZ.
Is it only the burden on the CPU or there some other factors?
marsd,
I actually considered using BSD with IPFilter. It provides stateful firewall and NAT.
I just wonder about the sub-interfaces.
Why not just add extra NIC for DMZ.

Thanks,
Jan

 

[marsd]

You're right: Better performance(maybe) with the third nic, depending on the server
hardware and drivers.
Out of habit I just use aliases and CIPE for stuff like this.