Complex Subnetting help - Network

This is a discussion on Complex Subnetting help - Network ; Hello all, I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a gateway set on my cable modem. (24.XXX.XXX.233). In order to achieve what we want to do with our ISA server and DMZ, we need to have ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Complex Subnetting help

  1. Complex Subnetting help

    Hello all,

    I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
    gateway set on my cable modem. (24.XXX.XXX.233).

    In order to achieve what we want to do with our ISA server and DMZ, we
    need to have two different subnets of public IP addresses. So I
    subnetted the 5 IPs into 2 seperate subnets. So now I have
    24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
    24.XXX.XXX.237 and 238. My ISA box uses .234 as the interface connecting
    to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
    The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
    set. (ISA reequirement) I also have an internal network in this machine
    assigned a 10 net range. That is set on the third NIC. (also no default
    gateway)

    Finally the problem. The host I have on the DMZ is a Redhat box hosting
    my email and websites for my customers. I use the ISA box for my own
    internal mail. The problem is browsing the internet from the DMZ box. I
    am now almost certain it is due to the fact that I subnet my original IP
    block and the cable modem doesn't contain any routing information for
    that second IP range that I created by subnetting. Fine. I contacted the
    ISP and they want to charge me to get a second range of IPs and I don't
    want to do that.

    My thoughts are to stick another Redhat box in between my Cable Modem
    and my ISA box and let THAT figure out the two subnets. So then my
    questions is how am I going to do that? With three nics? One assigned as
    the gateway for the two seperate subnets and the external using what? I
    only have 5 IPs to work here, so I am a little bit limited. Limited and
    confused as to what direction to head from here.

    Thanks,
    Edog

  2. Re: Complex Subnetting help


    "Edog" wrote in message
    news:cfo49m$ks6$1@geraldo.cc.utexas.edu...
    > Hello all,
    >
    > I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
    > gateway set on my cable modem. (24.XXX.XXX.233).
    >
    > In order to achieve what we want to do with our ISA server and DMZ, we
    > need to have two different subnets of public IP addresses. So I
    > subnetted the 5 IPs into 2 seperate subnets. So now I have
    > 24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
    > 24.XXX.XXX.237 and 238. My ISA box uses .234 as the interface connecting
    > to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
    > The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
    > set. (ISA reequirement) I also have an internal network in this machine
    > assigned a 10 net range. That is set on the third NIC. (also no default
    > gateway)


    Well that "subnetting" doesn't really make sense. A subnet consists of a
    network address, useable addresses, and a broadcast address. Rather often
    the gateway device is set at the first available address above the network
    address. The width of the subnet is defined by the mask.
    255.255.255.255 = /32 = 1 host, no network. Defines a single computer, not
    a network.
    255.255.255.254 = /31 = 2 nodes, no available IP's. Useless.
    255.255.255.252 = /30 = 4 nodes, 2 available IP's
    255.255.255.248 = /29 = 8 nodes, 6 available IP's.

    This last one is what you have. 24.x.x.232/29 where the 8 nodes are defined
    thus:

    1: 24.x.x.232 is the network address
    2: 24.x.x.233 is the first available IP, being used as the default gateway
    to your ISP.
    3: 24.x.x.234 is an available IP which you have used for the ISA box
    4: 24.x.x.235 is an available IP
    5: 24.x.x.236 is an available IP
    6: 24.x.x.237 is a second interface of the ISA box (uh oh)
    7: 24.x.x.238 is the last available IP
    8: 24.x.x.239 is the broadcast Address.

    Now, having a single box with two interfaces on the same network (almost)
    never makes sense. If you try to follow the routing table you'll see why.
    There will be a route for 24.x.x.232/29 (the directly connected network) out
    two separate interfaces on that machine, even though you have only 1 default
    route for non-directly connected networks. Which does it take? You could
    set weights, but then what is the point of the second interface?

    Any actual subnetting of this cloud would require that the ISP understood it
    too, because his subnet is still set to /29.

    What you really want to do is put a firewall in front of your network. It
    could have an IP such as 24.x.x.238. Then your DMZ could be for example
    172.16.1.0/24 and your trusted LAN 192.168.1.0/24. The firewall would
    therefore have interfaces of 172.16.1.1 and 192.168.1.1, in other words, one
    interface on each of these networks.

    All your other devices have adresses in one of those 2 clouds. If they need
    to be exposed to the Internet, you do it via a Mapped IP. So a MIP might
    translate 24.x.x.234 to your ISA server's trusted interface of 192.168.1.2
    wich has a gateway of 192.168.1.1., and 24.x.x.235 might MIP to your ISA
    server's DMZ interface which is 172.16.1.2 having a default gateway of
    172.16.1.1.

    Your trusted workstations probably have the ISA's inteface as their default
    gateway, and the DMZ servers probably have the firewall's DMZ interface as
    theirs, but that all depends on what you're architecting and what the ISA
    and DMZ are doing for you.

    Key point in all this is that one firewall is in charge of the entire
    24.x.x.232/29 subnet, no matter what's behind it. So you have have as many
    networks as you want, that are as big as you want, behind each address. All
    outbound traffic goes through this firewall, even if it goes through
    something else first. If you run out of outside IP's for stuff that needs
    to be exposed you start doing Port Address Tranaslation, so for example all
    port 25 traffic showing up at 23.x.x.238 goes to 172.16.1.10 your mail
    server, but all port 5900 traffic showing up at 23.x.x.238 goes to 192.168.1
    ..20 your VNC test box.

    -Russ.


    > Finally the problem. The host I have on the DMZ is a Redhat box hosting
    > my email and websites for my customers. I use the ISA box for my own
    > internal mail. The problem is browsing the internet from the DMZ box. I
    > am now almost certain it is due to the fact that I subnet my original IP
    > block and the cable modem doesn't contain any routing information for
    > that second IP range that I created by subnetting. Fine. I contacted the
    > ISP and they want to charge me to get a second range of IPs and I don't
    > want to do that.
    >
    > My thoughts are to stick another Redhat box in between my Cable Modem
    > and my ISA box and let THAT figure out the two subnets. So then my
    > questions is how am I going to do that? With three nics? One assigned as
    > the gateway for the two seperate subnets and the external using what? I
    > only have 5 IPs to work here, so I am a little bit limited. Limited and
    > confused as to what direction to head from here.
    >
    > Thanks,
    > Edog





+ Reply to Thread