Well,...there is no way to do this "live". There are so many things here
that will not work like you are thinking, that I don't know where to begin.
I'll indicate at the bottom how I think you should do this, but first, to
try to clear up misunderstandings....
There is no way to run them at the same time while you are doing it.
DHCP isn't going to "help". It really doesn't matter if you ran DHCP or ran
all Static,..it just doesn't matter.
DHCP isn't going to give addresses from the other Scope if the first scope
"filled up" anyway.
DHCP Scopes should always use the full range of addresses that are in the
Network being used. You then use Exclusions to separate the addresses you
want it to hand vs the ones you don't
The two addresses ranges (192.* and the 30 public ones) will not work
together at the same time.
RRAS with routing enabled is worthless unless you are building one machine
in a key topological location as specifically a router. That will only work
in a properly planned out and properly designed situation and I really can't
tell what you have done or not done towards that.
Private addresses are not compatible with the Internet,...they are not
"internet routable". So yes, you need to run NAT. You could also use a
proxy server like MS ISA. Both proxying and "nat" accomplish the same task,
but the are *not* the same thing.
You have a Checkpoint Firewall,...what aren't you using that as a NAT
Device? That is primarily what it is designed for,..a NAT Firewall.
---- Here's how I would do it, .....off the top of my head ----
Now, you could do this whole thing in a few hours. This is how I would
recommend it be done. I like to keep things straight-forward, simple,
logical, and organized. You can get complicated, convoluted, and strange
all you want after you have a dependably running network:
1. Come in on the week-end or after hours and set all the workstations to
get their address automatically (DHCP) and then shut them down and leave
them down.
2. Setup the CheckPoint to run as a NAT Firewall, or use whatever your
favorite NAT Device is going to be. Use one of your Public addresses for
the External side interface. Choose a Private Range to use. Use a higher
number in the third Octect (like maybe 192.168.50.x) to avoid future clashes
with the heavily "over-used" lower numbers. Use the first one
(192.168.50.1) as the NAT Firewalls Internal side interface. Assuming you
only use one subnet on the private side, this number 192.168.50.1 will be
the Default Gateway of all machines (via either DHCP or Static).
3. Move all the Servers to the private side of the Firewall and start
Statically re-addressing them. Start with 192.168.50.10 and go up from
there. This leaves a buffer of a few lower addresses for future Hubs,
Switches, and other networking hardware that takes IP#s. Your Domain
Controllers must point to themselves in thier DNS Setting and the ISP's DNS
should be listed in their Forwarders List. Your ISP's DNS should *not*
appear anywhere else other than the Forwarders List in your DNS
Configuration.
*Note*,....*all* Servers should run Static Addresses,..you don't want them
to "slit their throats" if one morning you wake up and the DHCP Service
isn't working. And also,...One active NIC per machine,...No multi-homed
machines anywhere except for the NAT Device!
4. Create a DHCP Scope on the DHCP Server. Only one Scope. No Superscopes!
Use the whole range of 192.168.50.1 -- 192.168.50.254. Set Exclusions for
192.168.50.1 -- 192.168.50.99 and another Exclusion for 192.168.50.201 --
192.168.50.254. This leaves the numbers below *.100 and above *.200 for
future equipment use. This will give you 101 total address to automatically
give to clients in the range of 192.168.50.100 -- 192.168.50.200. If you
need more than 101, adjust your Exclusions to accomidate.
In the DHCP setup use the Scope Options under the Scope,..do not use the
Server Options. These are the Options you should set. If you don't run
Active Directory then Option 006 would be your ISP's DNS and you would not
use Option 015 at all. Omit Options 044 & 046 if you don't have a WINS
Server:
003 Router = 192.168.50.1
006 DNS Servers = <List your AD DNS Servers>
015 DNS Domain Name = <Your AD FQDN, like "mycompany.loc">
044 WINS/NBNS Servers = <Your WINS Servers if you have any>
046 WINS/NBT Node Type = 0x8 (Only if you have WINS)
5. Power up the workstations. They should all grab a new address from the
freshly configured DHCP and all should be well.
I don't think I left anything out, but I *did* do this off the top of my
head, so think it all though as you do this, in case I forgot anything.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Pierre said:
We currently have a W2K network consisting of the following;
DSL line thru a Checkpoint Firewall, to 3 switches, then to
servers/workstations. Servers are using a mix of static (for web
server, etc.) and dhcp (for file/print servers, etc.) addresses on a
block of addresses provided by our ISP. Currently all is well.
We are switching to a new ISP and have only 30 addresses so we will be
changing to a private range for our internal network, likely
192.168.0.0 with a dhcp range of 192.168.0.2 to 192.168.0.254
(192.168.0.1 will be assigned to the NIC on the DC which will also
have the new public IP address asigned to it).
We are unable to test due to budget restraints, so it all has to
happen live.
The only way I can test is by connecting a laptop and temporarily
assigning a static IP (192.169.0.50). So far, I am able to see the
whole network but can only 'talk' to the DC. I cannot browse and
other machines, nor can I get out to the web.
I have already set up a second scope for the private range, but I
understand that dhcp will not use this range until the public range is
full (4 IP's left).
Do I need to use NAT? I am planning to adjust the registry to enable
IP routing at end of day, will this help? I have tried to use
IProuting in RRAS but that doesn't seem to affect anything.
Any help will be appreciated.
