RE: [FW1] subnetting problem for class c ip

Wed, 30 Aug 2000 04:55:37 -0700 


I'm not sure what you mean by "sequential IPs" but I assume
you want to split your addresses between the internal LAN adn the DMZ.

What you could do, is use the public addresses on your FW
only, for address translation, and the external IF
on the FW.
Then you hide all internal clients behind them,
using NAT and reserved addresses, for instance, 192.168.1.0 on
one network, and 192.168.2.0 on the other.
This would give you all the addresses you need.... (255 on each subnet).
You have only 8 addresses, i.e. your network is
202.54.44.30, with netmask 255.255.255.248
Adresses .30 and .37, cannot be used 
(.37 is your broadcast address)
This leaves you with 6 addresses for hosts.
Subnetting any further (split in two)
will leave you with two networks that have
4 addresses each, of which 2 will be reserved (30,33,34 and 37).
That would leave you with only 4 hosts addresses in total.

Here's the setup I propose:

Internal:  192.168.1.0 to ...255, netmask 255.255.255.0
DMZ: 192.168.2.0 to ...255, netmask 255.255.255.0

IP for FW external interface: 204.54.44.31
The drawing shows the IP addresses for each interface on the FW.

  internet
     |
     |
204.54.44.31
  FIREWALL--192.168.2.1 -- DMZ
192.168.1.1
     |
     |
internal network
 

You can then use NAT to hide all the internal IPs
behind a public address when they go trough to the internet.
For example, set up "hide NAT" with 204.54.44.32 for the internal
network. This would make all your clients look like they are 204.54.44.32,
even thought they're really using 192.168.1.xxx
You set this up in the Security policy window,
in the properties for the object that is your internal network.
Under NAT, you specify type HIDE, and the 204.54.44.32 address.

For the DMZ, you have to use Static NAT. This means you assign
1 NAT address to 1 reserved address.
For instance, you could set up your servers like this:
DNS:  192.168.2.10
www:    192.168.2.11
mail:   192.168.2.12

Then you have to assign each of these a public address,
so that they are accessible from the internet.
You do this in the object properties in the security policy.
Under NAT, you enter (for example):
DNS: type Static, IP: 204.54.44.33
www: type Static, IP: 204.54.44.34

etc..

Cheers,
Anders :)


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to