Subnetting/DMZ Help

H

hutchingsp

Limp Gawd
Joined
Dec 24, 2006
Messages
150
We have the following:

LAN 10.65.0.0/16
|
ISA Server (LAN Private IP on 10.65.0.0/16)
ISA Server (WAN Public IP on 1.2.3.253/24)
|
Netscreen (Internal Public IP on 1.2.3.254/24)
Netscreen (External Public IP on w.x.y.z into the ISP managed Cisco router)

We use the public IP area between the ISA and the Netscreen as a basic DMZ.

All the services hosted in this area are in the range 1.2.3.1 to 1.2.3.40/24.

The ISA is going to be replaced, and I'd like to use one of the interfaces on its replacement as an interface to a proper DMZ.

Am I right in thinking that I should be able to "simply" change the subnet mask on each of the existing public IPs to /26 and I'm in business?

It's not something I've too much hands on experience with, but I believe that'll give me a maximum of 4 subnets with 62 hosts each, one for the network between the ISA and the Netscreen and another for the DMZ interface.

I'm having a bit of a mental block with picturing the physical connectivity, embarrassing really! Right now the external NIC on the ISA simply plugs into the internal switch on the Netscreen, when I bring a DMZ interface into the equation that has to connect to both the Netscreen and the hosts behind it?
 
are the services from .1 to .40 nothing more than VIPs on the ISA or do you have other devices in that subnet?

regardless, you can't really just change the subnet to a /26 because you have addresses in the 1-40 in addtion to the 253 and 254 addresses. you would have to change the 253 and 254 to something within 41-62. then you could change it.

also, the subnetting that everyone learns in all beginner networking classes is stupid. assigning a /26 doesn't automatically mean you have to assign a /26 to the rest of the subnet. I dont' know anyone who doesn't use VLSM (variable length subnet mask) these days. you can have a /26 for 0-63, and then you can break up 64-255 however you wish, as long as you end on the proper binary subnets. (ie. you can't have a /26, then a /25, and a /26 at the end; but you can have 2 /26's and then a /25.)

as far as the DMZ is concerned, there are 2 basic concepts of a dmz that are pretty much the same, but slightly different. for a home network, the routers will typically define a dmz as a single IP where it will send any incoming traffic that doesn't match any predefined port-forwarding rules. in an enterprise setting, it's usually a network space where you place proxy servers that break the connection to an origin server, such that a client will never have a direct connection to the origin server, and if the dmz is compromised, it can be shut down, and the origin server would still be in tact.

well, getting late and i'm probably rambling now. hope that helps.
 
You must log in or register to reply here.
Back
Top