[isalist] Re: Creating first DMZ - A few newbie questions...

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 13 Apr 2008 09:25:08 -0700

http://www.ISAserver.org
-------------------------------------------------------

You'll have to:
1. Slice off a subnet of the /22 network you describe and
2. Establish your ISA public IP as a route to the DMZ public IPS.

Better that you try to resolve why your mail servers are getting blacklisted.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Paul Laudenslager
Sent: Tuesday, April 08, 2008 1:34 PM
To: isalist@xxxxxxxxxxxxx
Cc: 'Paul Laudenslager'; alexander@xxxxxxxxxxxxxxxxxx; 'Larry Etzler'
Subject: [isalist] Creating first DMZ - A few newbie questions...

http://www.ISAserver.org
-------------------------------------------------------

Hi Everyone,

I know that this has been covered before but I have a few simple questions
before I get started.

I have (4) Class C IP addresses that I've assigned out to publishing servers
on a private network.

My current IP's (not real ones) look something like this...

        14.174.56.0/22
        255.255.252.0

And this covers

        14.174.56.x
        14.174.57.x
        14.174.58.x
        14.174.59.x

To make things easy on me, I've setup something similar on my private
network

        172.16.56.0/22
        255.255.252.0

        172.16.56.x
        172.16.57.x
        172.16.58.x
        172.16.59.x

Everything is working great!  Now it's time to work on my DMZ.

        Firewall w/ three NICS

        1st NIC:  Public IPs
        2nd NIC:  Private Network (172.16.56.1)
        3rd NIC:  DMZ

I currently have about 2000 customers checking mail on about 10 mail
servers.  Our firewall is getting blacklisted and we can't tell which server
(let alone which customer) is causing the problem.

I know that I need to use some of my 'public' IP's for the DMZ.  What I'm
wanting to do is move individual IP's to the DMZ.  For example,

        14.174.56.40
And
        14.174.58.75

Are both suspect mail servers that I wish to move to the DMZ.

Q)  Is this scenario possible of just moving individual IPs/servers to the
DMZ?  Is it as simple deleting the public IP/netmask from the 1st NIC and
assigning to the 3rd NIC?

If not, I'm assuming that I would have to break out a range of IP's.  I wish
to move about 20-30 IP's from my currently assigned public IP's to the DMZ.
So I'm thinking...

        14.174.58.65
        255.255.255.224

To break out park of the public IPs destined for the DMZ.

Q)  If I do this, how does this affect the subnet mask for each IP on the
1st NIC?

As you can tell, this is my weak area and I'm studying subnetting now.


Any assistance or direction that you can point me in is greatly appreciated.

Thanks in advance for your time and consideration.  Have a wonderful day! :)
-Paul





------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: