• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

where to place the firewall

R

r6ashih

Senior member
T1-->switch-->servers and workstations.

i know the firewall is supposed to go between the t1 and the switch, but some of the servers have 2 network cards because they have public IP's.

Would placing the firewall between the t1 and switch interupt them?

Edit: another question:

Do i need to do any setup any routing configurations on the cisco pix 501 router? is the t1/cable modem synonymous with router?
 
It wouldn't interupt them at all. In fact it would protect them. You could give the servers private addresses and then create a static network address translation (NAT) that says whenever someone tried to go to 111.111.111.101 (public address) forward that to 10.1.1.101 (private address). You can then use the firewall to restirct exactly what traffic is allowed throuhg access lists.
 
Yes, i think it would disrupt it. I assume the public IP machines are web servers, etc., which should be in a DMZ.
I suppose you could use port forwarding, but I think you have to look at your network with what exactly you want from it.
 
here is a link to a pic of my network network.GIF

The servers are using both public and private ips. Dont ask me why its like this, thats how it was when i got here.
 
yes , server1 needs to be accessed from the outside... our website(hosted by a company) accesses the server for its database.
 
Originally posted by: OMG1Penguin
Yes, i think it would disrupt it. I assume the public IP machines are web servers, etc., which should be in a DMZ.
I suppose you could use port forwarding, but I think you have to look at your network with what exactly you want from it.
Click to expand...

I agree. If these servers have legit public ip's that need to accessed from the internet, then they need to put in DMZ so folks from the net can access them. Otherwise once the firewall goes up no access.
 
Some servers you may not want in the DMZ. Your Server1 has stuff that outside people need, but you definately don't want them to have access to your shared files on it. So you could just put it in the protected side of the firewall, NOT the DMZ. Then setup some "pinholes" from the outside through the firewall to that servers IP and Ports that are needed.
 
Originally posted by: Cheetah8799
Some servers you may not want in the DMZ. Your Server1 has stuff that outside people need, but you definately don't want them to have access to your shared files on it. So you could just put it in the protected side of the firewall, NOT the DMZ. Then setup some "pinholes" from the outside through the firewall to that servers IP and Ports that are needed.
Click to expand...


if i move server 1 behind the firewall, I would change the firewalls public ip to that of the server1's public IP and just foreward the database port to server one(with the private ip), thus eliminating the need for the second network card on server1 correct?
 
Originally posted by: r6ashih
Originally posted by: Cheetah8799
Some servers you may not want in the DMZ. Your Server1 has stuff that outside people need, but you definately don't want them to have access to your shared files on it. So you could just put it in the protected side of the firewall, NOT the DMZ. Then setup some "pinholes" from the outside through the firewall to that servers IP and Ports that are needed.
Click to expand...


if i move server 1 behind the firewall, I would change the firewalls public ip to that of the server1's public IP and just foreward the database port to server one(with the private ip), thus eliminating the need for the second network card on server1 correct?
Click to expand...

No, you would assign the firewall a third public IP address. Then you would create a static NAT that would forward traffic to the private IP address of the server. Or I belive that you could leave the public address on the server and route the traffic to that public address. I believe that the server having a private address with a staticly NATed public address is probably more secure.
 
Step 1. Move the database server off your DC.
Step 2. Put everything but the database server in 1 network behind the firewall.
Step 3. Create a DMZ behind the firewall, and follow reicherb's directions.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top