Re: Complex Subnetting help
"Edog" <firstname.lastname@example.org> wrote in message
> Hello all,
> I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
> gateway set on my cable modem. (24.XXX.XXX.233).
> In order to achieve what we want to do with our ISA server and DMZ, we
> need to have two different subnets of public IP addresses. So I
> subnetted the 5 IPs into 2 seperate subnets. So now I have
> 24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
> 24.XXX.XXX.237 and 238. My ISA box uses .234 as the interface connecting
> to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
> The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
> set. (ISA reequirement) I also have an internal network in this machine
> assigned a 10 net range. That is set on the third NIC. (also no default
Well that "subnetting" doesn't really make sense. A subnet consists of a
network address, useable addresses, and a broadcast address. Rather often
the gateway device is set at the first available address above the network
address. The width of the subnet is defined by the mask.
255.255.255.255 = /32 = 1 host, no network. Defines a single computer, not
255.255.255.254 = /31 = 2 nodes, no available IP's. Useless.
255.255.255.252 = /30 = 4 nodes, 2 available IP's
255.255.255.248 = /29 = 8 nodes, 6 available IP's.
This last one is what you have. 24.x.x.232/29 where the 8 nodes are defined
1: 24.x.x.232 is the network address
2: 24.x.x.233 is the first available IP, being used as the default gateway
to your ISP.
3: 24.x.x.234 is an available IP which you have used for the ISA box
4: 24.x.x.235 is an available IP
5: 24.x.x.236 is an available IP
6: 24.x.x.237 is a second interface of the ISA box (uh oh)
7: 24.x.x.238 is the last available IP
8: 24.x.x.239 is the broadcast Address.
Now, having a single box with two interfaces on the same network (almost)
never makes sense. If you try to follow the routing table you'll see why.
There will be a route for 24.x.x.232/29 (the directly connected network) out
two separate interfaces on that machine, even though you have only 1 default
route for non-directly connected networks. Which does it take? You could
set weights, but then what is the point of the second interface?
Any actual subnetting of this cloud would require that the ISP understood it
too, because his subnet is still set to /29.
What you really want to do is put a firewall in front of your network. It
could have an IP such as 24.x.x.238. Then your DMZ could be for example
172.16.1.0/24 and your trusted LAN 192.168.1.0/24. The firewall would
therefore have interfaces of 172.16.1.1 and 192.168.1.1, in other words, one
interface on each of these networks.
All your other devices have adresses in one of those 2 clouds. If they need
to be exposed to the Internet, you do it via a Mapped IP. So a MIP might
translate 24.x.x.234 to your ISA server's trusted interface of 192.168.1.2
wich has a gateway of 192.168.1.1., and 24.x.x.235 might MIP to your ISA
server's DMZ interface which is 172.16.1.2 having a default gateway of
Your trusted workstations probably have the ISA's inteface as their default
gateway, and the DMZ servers probably have the firewall's DMZ interface as
theirs, but that all depends on what you're architecting and what the ISA
and DMZ are doing for you.
Key point in all this is that one firewall is in charge of the entire
24.x.x.232/29 subnet, no matter what's behind it. So you have have as many
networks as you want, that are as big as you want, behind each address. All
outbound traffic goes through this firewall, even if it goes through
something else first. If you run out of outside IP's for stuff that needs
to be exposed you start doing Port Address Tranaslation, so for example all
port 25 traffic showing up at 23.x.x.238 goes to 172.16.1.10 your mail
server, but all port 5900 traffic showing up at 23.x.x.238 goes to 192.168.1
..20 your VNC test box.
> Finally the problem. The host I have on the DMZ is a Redhat box hosting
> my email and websites for my customers. I use the ISA box for my own
> internal mail. The problem is browsing the internet from the DMZ box. I
> am now almost certain it is due to the fact that I subnet my original IP
> block and the cable modem doesn't contain any routing information for
> that second IP range that I created by subnetting. Fine. I contacted the
> ISP and they want to charge me to get a second range of IPs and I don't
> want to do that.
> My thoughts are to stick another Redhat box in between my Cable Modem
> and my ISA box and let THAT figure out the two subnets. So then my
> questions is how am I going to do that? With three nics? One assigned as
> the gateway for the two seperate subnets and the external using what? I
> only have 5 IPs to work here, so I am a little bit limited. Limited and
> confused as to what direction to head from here.