|
Home > Archive > CCNA > August 2001 > private ip addressing
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
private ip addressing
|
|
| brianwph 2001-08-27, 4:04 am |
| hi,
I'd like to ask how many methods to implement (practically):
Originally I have 64 static ip for PCs and servers, and now I need more but don't want to buy new ip...
I've thought of:
1. Use a more powerful machine (e.g. Linux?/ win2k?) to be served as router
2. buy a router!
3. ...???
pls help, thanks! | |
| MadChef 2001-08-27, 5:37 am |
| Don't you have a router now? How are you getting those statically addressed devices out to the world, or are they not going out to the world?
For a network your size, a linux box will work fine, but it's not exactly the most scalable solution.
MadChef | |
| brianwph 2001-08-27, 10:06 pm |
| hi MadChef
well, I don't have a router; and yes, those static IPs are 'in the world'... but I have only 64 of them... but i want more IP but don't want to pay (budget matters! god).
a Linux box?? can u tell me more? thx a lot! | |
| chunder 2001-08-27, 10:47 pm |
| how are you connecting to the net?
how many boxes/devices do you need to have available for people on the net to get to (i.e. www/ftp/mail/dns servers)?
i'd recommend some type of box that will at least do NAT/Proxying. you can do this on linux without installing any third party software but you'd better have a good understanding of linux.
you can use products from Novell (BorderManager), Microsoft (Proxy or ISA Server), Cisco (PIX), CheckPoint (FirewallOne), gNatBox, and the list goes on...
with any one of the above mentioned devices/products, you can use NAT for all outgoing traffic and implement a private IP addressing scheme behind it. some will do reverse proxying so you can let traffic from the net come into your network to hit an FTP or WWW server, for example. some will have more layers of security than others and some will definately cost more than others.
the ultimate solution would be to have a perimter router, then a firewalling device and then even a proxying device to your DMZ and then another firewall seperating your net from the Net. but that's a lot of work/money. second to that, go with a router, Proxying device and then the firewall. at least those are my thoughts... and we're working on building our network similar to option 1 (with the inclusion of IDS -- Intrusion Detection System -- boxes).
a false sense of security is as bad or worse than no sense of security. | |
| MadChef 2001-08-28, 5:38 am |
| quote:
Originally posted by brianwph
hi MadChef
well, I don't have a router;
If you are connecting to the Internet, then you have a router of some sort. You can't go from one IP subnet to another without one. Since you don't know about one, then my guess is that you don't have any control over it. If you do, I'd try to leverage the investment you have in that router.
If you've got the understanding of Linux to build a NAT box/firewall from scratch, see the firewalling how-to at http://linuxdocs.org/HOWTOs/Firewall-HOWTO.html
It's really not that hard. Other free options include FreeBSD which has firewalling and my personal favorite for free firewalls, OpenBSD which is a NAT box/firewall out of the box. See the networking section of the FAQ for more details.
You can also by some prepackaged linux firewalls for low cost, but I can't vouch for them.
Keep in mind that you'll either have to renumber your entire network and put them all behind the firewall or pass all the traffic between the two networks through your firewall.
MadChef | |
| depamo 2001-08-28, 4:12 pm |
| I think that I know where you might have some of this confusion. Since you are 'paying' for 64 Static IP's, I assume that they are from an ISP out of his bank of static IP's. If this is true, chances are if you don't have a router that the premis equipment also belongs to him.
Before going out and buying a router and setting up a NAT/PAT on this network, check your SLA to make sure that you won't void any work related agreements if you connect equipment to his network. If not, just go out and get one of those link-sys cable routers and just plug that sucker up with the instructions to a network of up to 254 computers over one static IP. Cheap, easy, SOHO solution with no programming.
If you want to go the Cisco way, best answer is a 2510 (2 ether connections) that you can get on Ebay and then just do the same thing but you can make a combination of NAT and PAT using as much of your 64 addresses for stable communications then translating over to what remains for port translation.
So check it out but be safe about it!! |
|
|
|
|