Hello all,

I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
gateway set on my cable modem. (24.XXX.XXX.233).

In order to achieve what we want to do with our ISA server and DMZ, we
need to have two different subnets of public IP addresses. So I
subnetted the 5 IPs into 2 seperate subnets. So now I have
24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
24.XXX.XXX.237 and 238. My ISA box uses .234 as the interface connecting
to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
set. (ISA reequirement) I also have an internal network in this machine
assigned a 10 net range. That is set on the third NIC. (also no default
gateway)

Finally the problem. The host I have on the DMZ is a Redhat box hosting
my email and websites for my customers. I use the ISA box for my own
internal mail. The problem is browsing the internet from the DMZ box. I
am now almost certain it is due to the fact that I subnet my original IP
block and the cable modem doesn't contain any routing information for
that second IP range that I created by subnetting. Fine. I contacted the
ISP and they want to charge me to get a second range of IPs and I don't
want to do that.

My thoughts are to stick another Redhat box in between my Cable Modem
and my ISA box and let THAT figure out the two subnets. So then my
questions is how am I going to do that? With three nics? One assigned as
the gateway for the two seperate subnets and the external using what? I
only have 5 IPs to work here, so I am a little bit limited. Limited and
confused as to what direction to head from here.

Thanks,
Edog

[ Post a follow-up to this message ]

On Sun, 15 Aug 2004 16:52:57 +0000, Edog wrote:

> Hello all,
>
> I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
> gateway set on my cable modem. (24.XXX.XXX.233).
>
> In order to achieve what we want to do with our ISA server and DMZ, we
> need to have two different subnets of public IP addresses. So I subnetted
> the 5 IPs into 2 seperate subnets.

That won't work with a cable modem because it isn't a router. The actual
router is upstream at your ISP and they are the ones that would have to
implement the two subnets. And apparently you find the cost of that
unplatable.

> My thoughts are to stick another Redhat box in between my Cable Modem
> and my ISA box and let THAT figure out the two subnets. So then my
> questions is how am I going to do that? With three nics? One assigned as
> the gateway for the two seperate subnets and the external using what? I
> only have 5 IPs to work here, so I am a little bit limited. Limited and
> confused as to what direction to head from here.
>
You could do this, but not with subnetting. Given this requirement I'd
place a Linux box with three NIC's next to the cable modem. Each "inside"
NIC would implement a DMZ using an RFC 1918 private network and I'd
statically NAT outside IP's onto the servers in the DMZ's. If you add a
fourth NIC to the Linux box you could use it for other clinets that simply
need Internet access (via dynamic NPAT, aka Masquerade).

--
The instructions said to use Windows 98 or better, so I installed RedHat.

[ Post a follow-up to this message ]

On Sun, 15 Aug 2004 16:52:57 GMT, Edog <easycom@techie.con> wrote:
> Hello all,
>
> I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
> gateway set on my cable modem. (24.XXX.XXX.233).
>
> In order to achieve what we want to do with our ISA server and DMZ, we
> need to have two different subnets of public IP addresses. So I
> subnetted the 5 IPs into 2 seperate subnets. So now I have
> 24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
> 24.XXX.XXX.237 and 238. My ISA box uses .234 as the interface connecting
> to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
> The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
> set. (ISA reequirement) I also have an internal network in this machine
> assigned a 10 net range. That is set on the third NIC. (also no default
> gateway)

It sounds like your cable modem is a modem/router, so wouldn't it be
simpler to just put a switch on the cable modem/router with ISA box and
Linux connected directly to the switch?

> Finally the problem. The host I have on the DMZ is a Redhat box hosting
> my email and websites for my customers. I use the ISA box for my own
> internal mail. The problem is browsing the internet from the DMZ box. I
> am now almost certain it is due to the fact that I subnet my original IP
> block and the cable modem doesn't contain any routing information for
> that second IP range that I created by subnetting. Fine. I contacted the
> ISP and they want to charge me to get a second range of IPs and I don't
> want to do that.

There is nothing that says you cannot have the same IP on 2 different
interfaces as long as they have correct netmasks.  In this case the .234
public interface would need netmask 255.255.255.255, broadcast same as IP,
host route to .233, and default gateway .233, and proxy arp enabled so it
would answer for Linux on the DMZ.

The DMZ interface could also have .234 IP netmask 255.255.255.255 and host
route to Linux IP.

If the ISA box does not do proxy arp, you could NAT the Linux box on a
private IP and forward necessary ports to it.

> My thoughts are to stick another Redhat box in between my Cable Modem
> and my ISA box and let THAT figure out the two subnets. So then my
> questions is how am I going to do that? With three nics? One assigned as
> the gateway for the two seperate subnets and the external using what? I
> only have 5 IPs to work here, so I am a little bit limited. Limited and
> confused as to what direction to head from here.

What would that do that a switch could not do.  I assume the ISA box has a
decent firewall if it is on the internet now.

--
David Efflandt - All spam ignored  http://www.de-srv.com/

[ Post a follow-up to this message ]

David Efflandt wrote:
> On Sun, 15 Aug 2004 16:52:57 GMT, Edog <easycom@techie.con> wrote:
> 
>
>
> It sounds like your cable modem is a modem/router, so wouldn't it be
> simpler to just put a switch on the cable modem/router with ISA box and
> Linux connected directly to the switch?
>

That thought crossed my mind as well, but I didn't want to setup up the
firewall on that Linux box. Lazy...I know.

> 
>
>
> There is nothing that says you cannot have the same IP on 2 different
> interfaces as long as they have correct netmasks.  In this case the .234
> public interface would need netmask 255.255.255.255, broadcast same as IP,
> host route to .233, and default gateway .233, and proxy arp enabled so it
> would answer for Linux on the DMZ.
>
> The DMZ interface could also have .234 IP netmask 255.255.255.255 and host
> route to Linux IP.
>
> If the ISA box does not do proxy arp, you could NAT the Linux box on a
> private IP and forward necessary ports to it.
>
> 
>
>
> What would that do that a switch could not do.  I assume the ISA box has a
> decent firewall if it is on the internet now.
>

I just figured that this was a routing issue and a switch wouldn't be
able to solve that problem.

[ Post a follow-up to this message ]

"Edog" <easycom@techie.con> wrote in message
news:JxMTc.9700$M8.8213@fe2.texas.rr.com...
> Hello all,

> In order to achieve what we want to do with our ISA server and DMZ, we
> need to have two different subnets of public IP addresses. So I
> subnetted the 5 IPs into 2 seperate subnets. So

Can't do that. The smallest subnet is a /30 4 ips with the first one and
last one not usable
(unless your router can use subnet-zero)

[ Post a follow-up to this message ]

Wolf wrote:
> "Edog" <easycom@techie.con> wrote in message
> news:JxMTc.9700$M8.8213@fe2.texas.rr.com...
> 
>
> 
>
>
> Can't do that. The smallest subnet is a /30 4 ips with the first one and
> last one not usable
> (unless your router can use subnet-zero)
>
>
Thanks Wolf, that was the simple answer I was looking for.

[ Post a follow-up to this message ]

> In order to achieve what we want to do with our ISA server and DMZ, we
> need to have two different subnets of public IP addresses. So I
> subnetted the 5 IPs into 2 seperate subnets. So now I have
> 24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
> 24.XXX.XXX.237 and 238.

As I'm sure you've found out by now you can't subnet like that.

> My ISA box uses .234 as the interface connecting
> to the internet, and has a default gateway assigned as 24.XXX.XXX.233.

Hey, this is linux, ISA is another problem all together ;-)

> The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
> set. (ISA reequirement) I also have an internal network in this machine
> assigned a 10 net range. That is set on the third NIC. (also no default
> gateway)

Check out my post on 8/13 titled "routing without eating up my IPs" in
comp.os.linux.networking.  The answer is basically you take one IP and put
it on two interfaces of a linux box, on nic internal, the other nic
external.  On the internal nic you connect the other systems using the
remaining IPs and set up arp proxy on the external nic.  On this linux box
you can run firewalling to secure the internal systems.

The advantage you have with this solution is you don't lose any IPs because
of the network or broadcast addresses.  The above paragraph may be a little
confusing, see the diagram I made in my post and especially David Efflandt's
answer and it will be clear.

[ Post a follow-up to this message ]

Edog <easycom@techie.con> wrote in message news:<oEoUc.15857$MD.10968@fe1.texas.rr.com>...[v
bcol=seagreen]
> Wolf wrote: 
> Thanks Wolf, that was the simple answer I was looking for.[/vbcol]

huh .... /32 255.255.255.255 wildcard 0.0.0.0 bridged

[ Post a follow-up to this message ]

"flailking" <google@theflailshack.com> wrote in message
news:cb882613.0408171528.473403a6@posting.google.com...
> Edog <easycom@techie.con> wrote in message
news:<oEoUc.15857$MD.10968@fe1.texas.rr.com>... 
and[vbcol=seagreen] 
>
> huh .... /32 255.255.255.255 wildcard 0.0.0.0 bridged

not a subnet it is a host

--
Angel R. Rivera aka Wolf
----------------------------------------------------------------
Please post all reponses to UseNet.  All email cheerfully and automagically
routed to Dave Null

[ Post a follow-up to this message ]

"Edog" <easycom@techie.con> wrote in message
news:oEoUc.15857$MD.10968@fe1.texas.rr.com...
> Wolf wrote: 
> Thanks Wolf, that was the simple answer I was looking for.

Subnetting can be a real bear to figure out.

I would use a combination of nat and pat (OK I would cheat and use a Cisco
Router)
in combination w/ ACLs to do the same thing.

--
Angel R. Rivera aka Wolf
----------------------------------------------------------------
Please post all reponses to UseNet.  All email cheerfully and automagically
routed to Dave Null

[ Post a follow-up to this message ]