General discussion


Firewall configration

By EngEhab ·
dear all
I have a network with Class C real Ip's I want to keep the real ip in the network and protect it using firewall Symantec security gateway.
my question is how to configure the internal and external nic.

the external will be real IP and the GW is the the router of the ISP.
now how to configure the internal IP.and keep the network using the real IP

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Rasman In reply to Firewall configration

Not familiar with semantic, I have a question or two. Are the devices that are being configured with public addresses running services that are accessed by internet users or off site customers.
IF no then the recommended solution if is to run nat at the edge configure a simple VPN server cheap cisco 1605 works great use a windows server or any of the cheap routers that are available for nat. Address the inside network in a private range like Doing it like this you get the best of both public acces via vpn and a degree of security for your inside clients.

If the answer to the questionis Yes youdo have external internet access requirements. I would definatly use a full strength product and a dmz.
Placing the web products on a class c that is connected to a firewall like a cisco 1605 or a pix. and placing your inside clients on another interface running nat to get out. VPN is still possible to access the inside clients if you choose.


Collapse -

by cw In reply to Firewall configration

I guess the question is, when you say you want the network to use the "real" IP (registered addresses) do you just mean you want them to be able to surf the web or have web clients access resources on your network using these addresses, or for some reason you really want to use the registered addresses on your internal hosts,(God knows why).

If the former, then simply leave your private IP addresses on the inside hosts, and configure NAT and PAT on the outside interface of the Firewall. You can use one address or a pool of them for your clients to surf the web, by specifying this range on the outside interface of your Firewall. For external clients to access internal resources, One to One NAT translations to internal host addresses, and inbound permiting Access Control Lists will suffice.

If the latter (don't let them make you do it:) then you would simply use an extra address from you assigned Class C, on the inside Interface, thereby turning you nice new Firewall into an overpriced router.

Hope this helps

Chris Weber CCDP

Collapse -

by bwheel In reply to Firewall configration

I am unclear as to whether you use "real IP's" on your internal network or not, I am going under the assumption that you do use "real IP's" on the inside of the network. Readdress your internal network to something non-routable, as this will give you the most security and flexibility. Something in the 10.x.x.x, 192.168.x.x, or 172.16.x.x (never remember that one for some reason). This is a semi-critical step, as it will make it much harder to reach any of your internal clients without going through the firewall. The issue here is that the firewall itself if I remember correctly will not allow identical addresses on the outside and inside interfaces, so to use the same set inside and outside will be complicated as you must use up more addresses to split the class c address space. This is highly unrecommended. To do it this way will save your class c "real IP's" for internet use only. Then you tell the symantec box to use the entire class C range on the outside of the box, and you do this by setting the IP to be the network address and appropriate subnet to include all outside (class c addresses). You then set the inside interface to be the addresses that you set internally one of the 10.x.x.x addresses for instance. If you are concerned with allowing internet services to see the internal servers (mail, web, ftp, whatever), don't be. The firewall itself has a ruleset that allows you to point one IP on the outside to an IP on the inside using ports or ranges of ports. (Heads up here, You must first specify an object for each IP inside and out, and define the ports to use. This is just how symantec's ruleset works, really efficient and object oriented). I hope this gets you started, and read as many tech notes as possible, before you put it in... There are quite a few gotcha's, that can be gotten around if you know what to fix.

Related Discussions

Related Forums