How to allow outside ppl to access the resources in my network

[nutty1002]

Also can anyone explain to me what is the correct terms to us when ppl tell me that my company network is configured in such a way that I am allowed to access the resources from outside but other ppl cannot access into my network?
Also what should I do if I want my LAN settings to be in such a way that other ppl from outside is abled to access into my company resources??

 

[CMASPE]

More info..do you have a router or firewall?

 

[Guest_imported]

i have a router

 

[CMASPE]

SOunds like you are setup on a V-Lan. Do you VPN into your office netowrk and have all the resources available?? If you wanted someone to access your computer from the outside you could
A. Have PC anywhere on your PC and the remote computer(if the router does not have an access list that would prevent this traffic)
B. Have a VPN on their computer into your server.
Is this what you are getting at?

 

[nutty1002]

what about the range of IP address being used? Does my router have to be configured to public IP address instead of private? Now my network is assigned in such a way that all PCs and server are assigned in this range: 192.168.1.11-254

 

[CMASPE]

well depending on what router you have you can do a static translation for an outside address to an inside address. So you would run NAT(Network Address Translation) on the router with a pool of "real" IP's assigned by your ISP. You would have an RFC assigned pool of internal address on the inside i.e. 192.168 network. Having a static translation from one outside address to one inside address would allow someone from the outside to get to your inside computer.

 

[nutty1002]

cool, thanks for your detail explanation. you have been a great help.

 

[nutty1002]

I forgot, one last thing, what happen if i change all my existing IP address to the pool of "real" IP's address assigned by the ISP.

 

[CMASPE]

well you have will have at least two interfaces on your router. Each interface needs a seperate subnet. You could have a small subnetted IP on the outer interface and your other block on your "inside" interface. If you do this I would get a firewall to protect who can access your computers. By assigning real IP's to your internal network you are opening up many new security risks. I recommend using NAT and doing the static translation to the computers that need outside access. Even then it is still not a bad idea to get a firewall solution. How many users? If it is small you can get a new PIX 501 for 10 users that costs around $600 and can give you a little more piece of mind and more flexibility.

 

[nutty1002]

I have called up my ISP. He has given me a range of IP address for used (14 in all). However he has told me that due to the 13 workstations that I have, if i am going to add more new desktops or servers, then these extra new desktops or servers will have problems accessing the internet. He has suggested that we set up one of the server to do NAT (is that possible) or did he mean that I setup DHCP server, and after which he reconfigure the NAT on the router?
Is he correct? Can anyone advise? Thanks

 

[peterve]

use a VPN to get into your network instead of bringing out the network to the internet... --------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------

 

[nutty1002]

how do i do that, i mean VPN

 

[peterve]

if you have a router, and a Win2K server behind the router,
then let the router forward the VPN ports to your Win2K server, and set up your Win2K server as VPN server.
In some cases the router will have VPN capabilities itself, you might want to look at that as well
(although I prefer to use Win2K, it's quite easy to set it up..)
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------

 

[nutty1002]

VPN aside, in total the company that I am doing the project for will have 3 servers, only 2 of the servers will I need to access remotely. So can I do it this way, the existing server in the company IP address now is 192.168.1.10, I will assign the 2 new server that I am adding into as 192.168.1.11 and 192.168.1.12 and from there configure the router to do mapping to the IP address that the ISP has given me.For example from 192.168.1.11 map to 203.1.123.5 and from 192.168.1.12 map to 203.1.123.6. And from there I will use PCanywhere to remotely connect to the server? Can this work? Internal PCs will not be affected right??

 

[CMASPE]

Are you the only one that needs to access them remotely? Is this for admin purposes??? If so, setup up terminal services on the servers. If they are win2k and your station is win2K you have a "built" in license. this way you only have to open up the ports for tsac and you could even have an access list that allows only your IP in on those ports. That the direction you want to go? And as long as you have NAT running your internal pc's will be safe to a certain degree..I think I saw in a post somewhere the guy related the security to a percentage of 80% safe(how true this is I don't know but it sounds good) Again if secuirty does become a big concern then get them a firewall solution.

 

[nutty1002]

no, we are apparently setting up ERP system for them. So the koreas will need to remotely access the system as well as my company. Will my above method work???

 

[peterve]

terminal services & pCAnywhere are not safe... use a VPN instead... --------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------