how to setup network when many public IPs available ?

  • Thread starter Thread starter scott
  • Start date Start date
S

scott

Hi,

I have several public IP and am looking for information on how to configure
my network. for example:

--------------------------------------------------
net
v
v
router > > switch > > iis 1
v v v
v v v
v iis2 mail server
v
firewall
v
v
switch > > lan servers
v
v
lan clients
--------------------------------------------------

- do i need a special router that can deal with 16 public IPs ?
- i would assign a public IP to IIS1 + IIS2 + mail server + router external
(if this makes sense).
- all lan servers + lan clinets would be on a private IP range.

I thought my ISP implied that as I have several public IPs that i cant use
private IP range. This does not make sence.

Im just tying to figure out how to organise the routing in this environment.

Thanks for any information and your time.
Scott.
 
Hello Scott,

I just wanted you to be aware of the technical support options at Microsoft, seems like consulting or advisory services could provide faster help.
http://www.microsoft.com/resources/...erv/2003/standard/proddocs/en-us/Default.asp?
url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/pss_intro.asp

--------------------
From: "scott" <[email protected]>
Subject: how to setup network when many public IPs available ?
Date: Wed, 5 May 2004 10:50:27 +0100

Hi,

I have several public IP and am looking for information on how to configure
my network. for example:

--------------------------------------------------
net
v
v
router > > switch > > iis 1
v v v
v v v
v iis2 mail server
v
firewall
v
v
switch > > lan servers
v
v
lan clients
--------------------------------------------------

- do i need a special router that can deal with 16 public IPs ?
- i would assign a public IP to IIS1 + IIS2 + mail server + router external
(if this makes sense).
- all lan servers + lan clinets would be on a private IP range.

I thought my ISP implied that as I have several public IPs that i cant use
private IP range. This does not make sence.

Im just tying to figure out how to organise the routing in this environment.

Thanks for any information and your time.
Scott.
Click to expand...

--
Sergio Moreno
Microsoft Windows Networking

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
There are several ways to go about it, but it is really too big a topic
for a newsgroup reply. Here are a few things to look at.

1. DMZ. Put your public addressed machines in a DMZ, and have limited access
between the DMZ and the private LAN.

2. Use some sort of proxy service to give LAN clients Internet access,
rather than using a routed connection or NAT.

3. Put all your machines in the private LAN behind a NAT router/firewall,
and map public IPs to particular private machines. Many routers (including
RRAS) can handle this.

All have advantages and disadvantages. There is no one perfect solution
for all situations.
 
Hi,

All machines allocated a public IP will be placed in a DMZ in front of the
LAN. All LAN machines will have private IPs.

Im more concerned about how to physically deal with the IP addresses.

For example: say i have two public IPs.

------------------------------
net
v
v
wan ip (99.99.99.99)
router/firewall > > lan ip (99.99.99.98) - iis
lan ip (99.99.99.96)
v
v
wan ip (99.99.99.97)
firewall
lan ip
v
v
etc....
------------------------------

- The firewall router must have the ability to have several public IPs i
assume on its WAN adapter.
- The iis machine must have 1 public IP i assume on its only adapter.

If this is the case then the LAN IP of the firewall must need to be a public
IP also ? (i.e on the same subnet ?)
If this is the case then the FIREWALL external IP must need to be a public
IP also ? (i.e on the same subnet ?)

So in order to assign a public IP to the IIS machine i really need 4 public
IPs ?
i.e
router firewall wan + lan
iis wan
firewall wan ?

Thanks again for any advice.
Scott.
 
Here again you could write a book about the possibilities. (In fact
people have written books about it).

One common method is the bastion host, where one machine acts as the
firewall for both the DMZ and the private LAN. The firewall machine has
three interfaces - ont to the Internet, one to the DMZ and one to the
private LAN. Another common method is back to back firewalls. You have a
firewall between the Internet and the DMZ, and a second firewall between the
DMZ and the LAN.

If you want the machines in the DMZ to access the Interneet directly,
then they must have valid public IP addresses. The LAN machines should use
private IPs only. You should limit the connections between the LAN and the
DMZ. Ideally there should be only one connection point, and that should be
firewalled. Here is a possible scenario.

Internet
|
public IP (not in same subnet as DMZ)
firewall
public IP
w.x.y.1
|
DMZ machines
w.x.y.z dg w.x.y.1
|
w.x.y.n dg w.x.y.1
firewall2 (such as ISA server)
192.168.1.1
|
LAN clients
192.168.1.x
 
Back
Top