General discussion

Locked

Firewall configration

By EngEhab ·
dear all
I have a network with Class C real Ip's I want to keep the real ip in the network and protect it using firewall Symantec security gateway.
my question is how to configure the internal and external nic.

the external will be real IP and the GW is the the router of the ISP.
now how to configure the internal IP.and keep the network using the real IP

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Usually

by LordInfidel In reply to Firewall configration

What happens is that your ISP will give you several things.

1. An IP address from their network, you put that on the external IF of your router. (lets call it 10.1.1.1)

2. Then they give you your address range, in your case is a class c. We know it's public, but for this example I will use 192.168.1.0/24

Next comes the tricky part, what IP's to assign where. The problem comes in because you want to shape all traffic, making sure that it all passes thru your firewall.

If you just assign the near side of your router an IP from your public range, then nothing is stopping your users from bypassing your firewall.

So typicall the way this will work is that on your far side of your router you put the ISP's address from their netwk.

On your internal IF of your router you put a pvt ip address. Lets say 172.16.0.1/30 .

On your firewall's external IF you put an IP address of 172.16.0.2/30 and you say that it's default route out is 172.16.0.1 . Now this is important, use a crossover cable to connect the 2,
Internal IF of the router and the external IF of the firewall.

Now on your firewall you have a second NIC, This is where your public address range goes. You assign it an IP of 192.168.0.1/24 , you connect it to a switch, and your users also connect to the switch fabric, and set their gateway to 192.168.0.1

Here's the tricky part. How does your router know how to get to your public network? Easy,
On your router you add a route to the 192.168.0.0/24 network by saying to get to that network use 172.16.0.2. Because your internal IF is connected to the 172.16.0.0/30 netwk, it will be able to get to the public network.

The reason this works is because your ISP is publishing a route that says to get to the 192.168.0.1 network use 10.1.1.1

That is all the external world needs to know, your static routes take care of the rest.

And that's how it is done.

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums