IP Routing & Subnetting

I have a network with a NAT router - 192.168.0.2,
a Domain Controller (2003) - 192.168.0.1,
and a series of workstations - 192.168.0.100 and upwards.
All have subnet masks of 255.255.255.0.
I want to put a webserver on this network, which is not on the domain and
has its own security policies etc.
I want incoming traffic from the router on ports 53 & 80 routed to this box,
but I don't want it to be able to see any of the client workstations or the
DC and vice versa.
So to all intents and purposes, as far as the main network is concerned,
this box won't exist!
How do I configure the IP addressing / subnet masks to do this?
Neil

You could create a subinterface on the router, with a different network ID,
trunk it to your switch for the webserver, and create ACL's to filter
traffic. You'll have to create a static NAT then for your webserver, and I'm
not sure you can do that with a subinterface. The right way to do it, would
be to physically create a DMZ (ad an ethernet interface to your router), or
even better, deploy a firewall with a DMZ. Setting up your NAT translations
and security settings will be much easier.

"Neil" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have a network with a NAT router - 192.168.0.2,
> a Domain Controller (2003) - 192.168.0.1,
> and a series of workstations - 192.168.0.100 and upwards.
> All have subnet masks of 255.255.255.0.
> I want to put a webserver on this network, which is not on the domain and
> has its own security policies etc.
> I want incoming traffic from the router on ports 53 & 80 routed to this
box,
> but I don't want it to be able to see any of the client workstations or
the
> DC and vice versa.
> So to all intents and purposes, as far as the main network is concerned,
> this box won't exist!
> How do I configure the IP addressing / subnet masks to do this?
> Neil
>
>

You can't with the equipment you have. It also makes a difference with what
type of line connection (DSL, T1, ect) you have and how many public IP#s you
have.

Option #1
If you have multiple IP#s and *not* DSL or Cable you can put it outside the
private system with a public IP#.

Option #2
Some firewall devices have a third "untrusted" DMZ interface. See the
product manufacturer to see how they expect you to use it.

Option #3
Use two Firewalls and create a Back-toBack DMZ and put the server in it.

But.....I'm not entirely sure what your expectations are. You mentioned
Domains, Ports 53 & 80, and Subnetting,...yet these three are not even
related to each other. Ports are Layer4, subnetting is Layer3, and Domain
are above and beyond the networking Layers and is the system's
Authentication model. You need to define what you mean by something being or
not being able to "see" something else. You probably need to explain the
functionality you want rather than soemthing "seeing" something.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"Neil" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have a network with a NAT router - 192.168.0.2,
> a Domain Controller (2003) - 192.168.0.1,
> and a series of workstations - 192.168.0.100 and upwards.
> All have subnet masks of 255.255.255.0.
> I want to put a webserver on this network, which is not on the domain and
> has its own security policies etc.
> I want incoming traffic from the router on ports 53 & 80 routed to this
box,
> but I don't want it to be able to see any of the client workstations or
the
> DC and vice versa.
> So to all intents and purposes, as far as the main network is concerned,
> this box won't exist!
> How do I configure the IP addressing / subnet masks to do this?
> Neil
>
>

As the webserver will be internet facing, I want to protect the internal
network in the event of a hack / virus to the server.
I am using a DSL account with 1 static IP address and a Trust router/modem.
What are virtual circuits? Are these any good to me?
The manual is appaling!
Thanks
Neil


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> You can't with the equipment you have. It also makes a difference with
what
> type of line connection (DSL, T1, ect) you have and how many public IP#s
you
> have.
>
> Option #1
> If you have multiple IP#s and *not* DSL or Cable you can put it outside
the
> private system with a public IP#.
>
> Option #2
> Some firewall devices have a third "untrusted" DMZ interface. See the
> product manufacturer to see how they expect you to use it.
>
> Option #3
> Use two Firewalls and create a Back-toBack DMZ and put the server in it.
>
> But.....I'm not entirely sure what your expectations are. You mentioned
> Domains, Ports 53 & 80, and Subnetting,...yet these three are not even
> related to each other. Ports are Layer4, subnetting is Layer3, and
Domain
> are above and beyond the networking Layers and is the system's
> Authentication model. You need to define what you mean by something being
or
> not being able to "see" something else. You probably need to explain the
> functionality you want rather than soemthing "seeing" something.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "Neil" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > I have a network with a NAT router - 192.168.0.2,
> > a Domain Controller (2003) - 192.168.0.1,
> > and a series of workstations - 192.168.0.100 and upwards.
> > All have subnet masks of 255.255.255.0.
> > I want to put a webserver on this network, which is not on the domain
and
> > has its own security policies etc.
> > I want incoming traffic from the router on ports 53 & 80 routed to this
> box,
> > but I don't want it to be able to see any of the client workstations or
> the
> > DC and vice versa.
> > So to all intents and purposes, as far as the main network is concerned,
> > this box won't exist!
> > How do I configure the IP addressing / subnet masks to do this?
> > Neil
> >
> >
>
>

Virtual Ciruits are just an ecclesiastical way to say "subnets" or "VLANS"
in a VLAN environment. What manual?

As I suspected you are not going to be able to do what you wish with what
you have to work with. DSL "routers" are not real routers. They are a
combination of these three devices:
1. DSL Modem (where the WAN port [phone line] comes in)
2. LAN Switch (where the LAN ports are on your network side of the box)
3. NAT Server (Network Address Translation between the WAN and LAN sides)

The closest that they are to a true router is the fact the NAT functionality
is built on top of Layer3 routing as it underlying engine.

Now if the Virtual Circuits "thing" implies that this particular "DSL
Router" can also do VLANS on the private side, then that can provide some
options. But this only divides the LAN into subnets and routes between
them,... it does not prevent anything from "seeing" anything else unless it
is also combined with ACLs to deny traffic between the subnets.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Neil" <(E-Mail Removed)> wrote in message
news:Oxf%(E-Mail Removed)...
> As the webserver will be internet facing, I want to protect the internal
> network in the event of a hack / virus to the server.
> I am using a DSL account with 1 static IP address and a Trust
router/modem.
> What are virtual circuits? Are these any good to me?
> The manual is appaling!
> Thanks
> Neil
>
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > You can't with the equipment you have. It also makes a difference with
> what
> > type of line connection (DSL, T1, ect) you have and how many public IP#s
> you
> > have.
> >
> > Option #1
> > If you have multiple IP#s and *not* DSL or Cable you can put it outside
> the
> > private system with a public IP#.
> >
> > Option #2
> > Some firewall devices have a third "untrusted" DMZ interface. See the
> > product manufacturer to see how they expect you to use it.
> >
> > Option #3
> > Use two Firewalls and create a Back-toBack DMZ and put the server in it.
> >
> > But.....I'm not entirely sure what your expectations are. You mentioned
> > Domains, Ports 53 & 80, and Subnetting,...yet these three are not even
> > related to each other. Ports are Layer4, subnetting is Layer3, and
> Domain
> > are above and beyond the networking Layers and is the system's
> > Authentication model. You need to define what you mean by something
being
> or
> > not being able to "see" something else. You probably need to explain the
> > functionality you want rather than soemthing "seeing" something.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> >
> > "Neil" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > I have a network with a NAT router - 192.168.0.2,
> > > a Domain Controller (2003) - 192.168.0.1,
> > > and a series of workstations - 192.168.0.100 and upwards.
> > > All have subnet masks of 255.255.255.0.
> > > I want to put a webserver on this network, which is not on the domain
> and
> > > has its own security policies etc.
> > > I want incoming traffic from the router on ports 53 & 80 routed to
this
> > box,
> > > but I don't want it to be able to see any of the client workstations
or
> > the
> > > DC and vice versa.
> > > So to all intents and purposes, as far as the main network is
concerned,
> > > this box won't exist!
> > > How do I configure the IP addressing / subnet masks to do this?
> > > Neil
> > >
> > >
> >
> >
>
>

Oh...besides my other post......virtual circuits can also be related to
routers and their type of WAN Point-toPoint connection they use. For
example a Frame Relay connection creates a virtual point-to-point circuit
between two points even though it may pass through many frame relay switches
along the way, and even the path it takes among those switches may change
periodically.

It may even share part of the physical path with other "virtual circuits".
That's what VLANs do (multiple subnets---same physical wire).

So it can vary with the "context" it is spoken in.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Neil" <(E-Mail Removed)> wrote in message
news:Oxf%(E-Mail Removed)...
> As the webserver will be internet facing, I want to protect the internal
> network in the event of a hack / virus to the server.
> I am using a DSL account with 1 static IP address and a Trust
router/modem.
> What are virtual circuits? Are these any good to me?
> The manual is appaling!
> Thanks
> Neil
>
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > You can't with the equipment you have. It also makes a difference with
> what
> > type of line connection (DSL, T1, ect) you have and how many public IP#s
> you
> > have.
> >
> > Option #1
> > If you have multiple IP#s and *not* DSL or Cable you can put it outside
> the
> > private system with a public IP#.
> >
> > Option #2
> > Some firewall devices have a third "untrusted" DMZ interface. See the
> > product manufacturer to see how they expect you to use it.
> >
> > Option #3
> > Use two Firewalls and create a Back-toBack DMZ and put the server in it.
> >
> > But.....I'm not entirely sure what your expectations are. You mentioned
> > Domains, Ports 53 & 80, and Subnetting,...yet these three are not even
> > related to each other. Ports are Layer4, subnetting is Layer3, and
> Domain
> > are above and beyond the networking Layers and is the system's
> > Authentication model. You need to define what you mean by something
being
> or
> > not being able to "see" something else. You probably need to explain the
> > functionality you want rather than soemthing "seeing" something.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> >
> > "Neil" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > I have a network with a NAT router - 192.168.0.2,
> > > a Domain Controller (2003) - 192.168.0.1,
> > > and a series of workstations - 192.168.0.100 and upwards.
> > > All have subnet masks of 255.255.255.0.
> > > I want to put a webserver on this network, which is not on the domain
> and
> > > has its own security policies etc.
> > > I want incoming traffic from the router on ports 53 & 80 routed to
this
> > box,
> > > but I don't want it to be able to see any of the client workstations
or
> > the
> > > DC and vice versa.
> > > So to all intents and purposes, as far as the main network is
concerned,
> > > this box won't exist!
> > > How do I configure the IP addressing / subnet masks to do this?
> > > Neil
> > >
> > >
> >
> >
>
>