Intel 9515 Saw User Manual


 
DMZ Firewall Solution for the Express Router
07-12-99 Version 1.0 17
4 DMZ Multiple IP Address Solution
This solution explains how to set up a DMZ when the ISP supplies you with multiple IP
addresses. In the example, the ISP has assigned the site a range of IP addresses: 193.84.251.0 to
193.84.251.7 (subnet mask 255.255.255.248).
Intel Express
Router
Internet
HTTP/FTP
server
193.84.251.1
Mail
server
89.20.0.1
HTTP/FTP
proxy
server
193.84.251.2
Secure LAN
89.20.0.0
LAN2 port
193.84.251.5
LAN1 port
89.20.0.10
Users
SMTP
server
193.84.251.3
News
server
193.84.251.4
193.84.251.0
DMZ
News
server
89.20.0.2
DNS
server
194.25.6.4
News
(NNTP)
server
196.24.5.8
Secure LAN
90.20.0.0
10/100
Layer 3 switch
Note: The services available on the DMZ can be placed on a single server. If this is done, you
must configure NAT accordingly.
The solution does not configure NAT on the WAN interface (connection to the Internet). This
eliminates problems with protocols that are not supported by the router’s NAT implementation.
4.1 IP Address Assignment
The servers on the DMZ network have been assigned official public IP addresses. NAT is not
required for these addresses. The secure private LAN consists of two networks, 89.20.0.0 and
90.2.0.0, which are official public IP addresses. You must use NAT to translate these addresses to
private IP addresses.
Note: The first and last IP address in the range provided by the ISP must not be used for devices.
The WAN connection to the Internet must be configured as unnumbered.
4.2 Static Routing Setup
Configure static routing as follows:
Configure static routing on the Internet connection, LAN1, and LAN2. This is done in
Advanced Setup by setting the Routing Protocol parameter to None/Static.
Define a static route on the WAN interface to the Internet. Use the default static route setting
(network address of 0.0.0.0 and network address of 0.0.0.0) as shown in the example below.