General Firewall Theory Question

[Xsorovan]

Hey there, so I have a firewall that has a DMZ port that will allow for pretty much one range of IP addresses (that need to match the IP of the firewall itself (as given to me by the ISP)) I however need a few more externally facing IP addresses so I was given a second block of IP addresses (of course) far and away all sorts of different from the other ones.

Being as hunting up a "how to" on any one firewall is a complete pain in the neck (be it Sonicwall or 3com, we have both) I was curious the general THEORY behind doing this. Does it involve static routing somehow, a DNS server? What? How would you go about making your second block of IP addresses useable in this situation?

Thanks!

~Ben

 

[spidey07]

Have another interface on the firewall. For example interface A = 12.1.1.0/24, interface B = 12.2.2.0/24, interface C = INSIDE network. Then your Internet router would of course need to have routes to both of the 12. addresses, one of which is probably directly connected.

 

[Jamsan]

You could assign 2 different VLANs on the same physical interface of the firewall. VLAN 100 on eth0/0 could be 12.1.1.0 / 24 and VLAN 200 could be 12.2.2.0 / 24. You'll need a VLAN capable switch in the DMZ, but that's probably not too far fetched. This option is a little easier, as some firewalls are licensed per interface and it can get very costly on upgrading to additional interfaces.

 

[Xsorovan]

Thanks for the ideas. I have 3 interfaces on our current firewall: WAN, LAN, and DMZ. That's all I've got to work with at the moment.

Ideas?

 

[drebo]

Well, obviously, without you telling us what kind of firewall it is, there's not much we can do to help you.

 

[Xsorovan]

That's not entirely true. Didn't you read the subject thread? Firewall THEORY. I'm not looking for a walk through, I'm looking for how you would do something like this in theory.

 

[Crusty]

I'd use NAT.

 

[spidey07]

Originally posted by: Xsorovan
That's not entirely true. Didn't you read the subject thread? Firewall THEORY. I'm not looking for a walk through, I'm looking for how you would do something like this in theory.

Drebo is correct. There are other features you can use, but it would depend on what kind of firewall you have if those features are available to use - like vlans already mentioned.

If it were me I'd get a new firewall because it sounds like you've outgrown your current one.

 

[Xsorovan]

Ok, well then I have a firewall laying around, a Sonicwall TZ190. There is a model number. Theories? (To replace the old Lan/Wan/DMZ FW)

 

[drebo]

My theory is don't use a Sonicwall, because it's not going to do what you want it to.

An ASA5510 would be very easy to do this. Or an IOS router with firewall featureset. Or even an ASA5505 Security Bundle would allow you to do this with VLANs.

But, like Crusty said...NAT would probably be the easiest way to do this and might not require any extra equipment (though I can't say for sure because you haven't told us what you're using).

 

[Xsorovan]

Maybe I can't quite wrap my head around this or I am missing something: How would you setup a DMZ with a NAT. Assuming behind the firewall there are going to be 5 to 6 servers that need access to the internet and a external IP address so that PersonX can get to the server from home/ work/ anywhere there is internet. Do I need the internal structure of the DMZ side of things to be actual IP addresses, or a private address scheme?

IE: Does it need to look like this:

WAN - xx.xx.151.33 to DMZ xx.xx.151.34 to NAT 192.168.0.5-10? (Private IP)
or
WAN - xx.xx.151.33 to DMZ xx.xx.151.34 to NAT xx.xx.103.9-15? (Public IP)

Is this possible if you are doing something like 2 web servers on the other side? (As they are both use the same ports?)

Sorry if these are "silly" questions or if I'm missing something. Just trying to figure out how I would go about trying out this NAS/DMZ thing.

 

[Crusty]

Your DMZ will be using private addresses and you use NAT to translate external IP <-> private IP through your firewall. If you don't have enough external IPs for a one-to-one mapping you can use dynamic NAT or PAT to do the translations.

I don't know how the Sonicwall works but with an ASA you can create different address pools to use for your dynamic NAT.

For instance, I've got two different cable connections terminating into two different interfaces on the ASA. One connection is using DHCP and all general internet traffic is sent out that interface, while the other has static IPs that are used with NAT to encrypt certain traffic for IPSEC tunnels as well as providing external access to the DMZ servers.

 

[Xsorovan]

Ok, so the NAT is the private address scheme, does that mean when it comes to external sites (the two web servers, a mail server, a couple other servers) that they would all advertise the SAME external IP address?

 

[drebo]

No, you would use one-to-one NATs for your external-facing services. You could also use PATs if you had two servers with completely separate services and wanted to conserve IP addresses.

 

[Crusty]

Sure, you can do it that way.. that's called PAT.

http://en.wikipedia.org/wiki/Port_address_translation

edit: With two web servers, unless they are serving on distinct ports, you'll have to use one-to-one NAT instead of PAT.

 

[jlazzaro]

Originally posted by: Xsorovan
Ok, so the NAT is the private address scheme, does that mean when it comes to external sites (the two web servers, a mail server, a couple other servers) that they would all advertise the SAME external IP address?

the servers don't advertise anything...it depends on how you configure the rules and the number of addresses you have available.

if you only have a single IP address, you would need to do NAT based on the port number. so 1.2.3.4:80 would go to DMZ server 10.1.1.1, 1.2.3.4:25 goes to DMZ server 10.1.1.2, etc, etc.

if you have multiple addresses, you can do a one-to-one NAT and just map each public address to the private DMZ address. 1.2.3.4 goes to DMZ server 10.1.1.1, 1.2.3.5 goes to DMZ server 10.1.1.2, etc, etc.

 

[Xsorovan]

Ooookay. I think I am getting it here. 1 external NAT address to 1 internal private IP address?

 

[Xsorovan]

Thanks everyone who replied to this thread. I got me to where I needed to be! One to One Nat will do the trick. Thanks again everyone. Gold stars all around.