TCP/IP For Internet Administrators
Previous Section Previous Page Query/Search Next Page Next Section

A Firewalled Network using an Ascend Pipeline Router

In this example there is a business with a small Ethernet LAN that is using IPX/SPX or NetBEUI as a network protocol. There are a few dozen systems on the network, including some Microsoft Windows for Workgroups 3.11 systems, some Windows 95 systems, a few Windows NT Workstation systems, and two or more Microsoft Windows NT 4.0 Server systems. The business would like to connect to the Internet and host their own E-Mail and Web server. Security is not a critical issue but they would like to be protected from possible hacker attacks and do not want every user system on the LAN to have Internet access. The projected needs do not require high bandwidth. For this example we will use Company.Com for the company domain name.

The decision has been made to connect to an ISP via ISDN across an Ascend Pipeline ISDN router. The connection will keep at least one 64k baud channel up at all times, and will bring the second channel on line for 128k baud service if traffic exceeds the capacity of the 64k channel. When traffic falls below 64k baud the second channel will be dropped. Because the company already owns Microsoft NT 4.0 Server, and the network uses primarily Microsoft software, the Microsoft Proxy Server has been chosen for use as a firewall and proxy server, Microsoft DNS to provide Domain Name Service, Microsoft Internet Information Server for a Web server, and a standard SMTP/POP3 server for E-Mail.

The site will be firewalled behind a proxy server so there is no need for the ISP to route more than two IP addresses: one for the ISDN router and one for the proxy server. The rest of the LAN will be configured using Private IP Addresses from the 192.168.10.0 class C network. The ISP allocates the IP subnet 205.217.146.128 with a netmask of 255.255.255.252 for this connection. This allocates four IP addresses as follows: 

    205.217.146.128    the subnet network address
    205.217.146.129    the ISDN router
    205.217.146.130    the Proxy server
    205.217.146.131    the subnet network announce address

The ISDN router is configured with an IP address of 205.217.146.128/30. This causes it to dial into the ISP using this address with a subnet mask of 255.255.255.252. The ISP will route the subnet of IP across this connection to the router.

One of the Win NT Server systems is selected to run the Proxy server, DNS server, Web server, and E-Mail server software. This system is configured with two Ethernet Network Interface Cards (NICs) and TCP/IP protocol software is loaded. One of the NICs is connected directly to the ISDN router with a 10/Base-T crossover cable. This NIC is configured with the IP address 205.217.146.130 and a netmask of 255.255.255.252. The default gateway for this system is set to 205.217.146.129, the IP address of the ISDN router. The DNS server address for this system is set to point to the system itself, 205.217.146.130.

The second NIC in this system is connected to the in-house LAN and configured with an IP address of 192.168.10.1 and a netmask of 255.255.255.0. In this configuration the default gateway for the second NIC is left set to blanks.

It is important in this configuration to make sure that IP forwarding or IP routing is NOT enabled on the Proxy server system.

The DNS software on the Proxy system is set up and configured with only the names and IP addresses of the router and the proxy server. The DNS name of the ISDN router is set to ISDN.Company.Com, and the name of the proxy server is set to WWW.Company.Com. The Mail Exchanger (MX) entry for Company.Com is set to deliver mail to the Proxy system. A Reverse Arpa database record is built for this network, listing just the IP addresses for the ISDN router and the Proxy system. For this example the ISP has agreed to host a secondary DNS server for the domain, and has agreed to also server as an off-site E-Mail relay host. This makes arrangements so that E-Mail will not be lost if the ISDN connection is temporarily out of service. Reverse Arpa for the subnet is also delegated to the Proxy system from the ISP.

E-Mail is loaded and configured on the Proxy server system. An E-Mail address is configured for each user on the network who will be receiving E-Mail from the Internet. Also, special addresses are set up for Postmaster@Company.Com and Hostmaster@Company.Com so that administrative messages can be received for these identities.

Microsoft IIS is loaded and configured on the Proxy system. The company home page is loaded on that system and configured to display as the default home page.

A second Microsoft Windows NT 4.0 Server system is selected to be the interior DNS and IP administration system for the protected network inside the firewall. It is loaded with TCP/IP and the NIC is configured to IP address 192.168.10.2 with a netmask of 255.255.255.0. The default gateway address for this system is set to 192.168.10.1, the interior address of the Proxy system. The DNS server address on this system is set to point to itself, 192.168.10.2. This system will be loaded with DNS, DHCP, and WINS services.

The DNS server software on the interior DNS system is configured to use the Windows Internet Name Service (WINS) and Dynamic Host Configuration Protocol (DHCP). It is set to consider itself a Primary DNS Server for , even though to the rest of the Internet it cannot be seen. It is also set up to use the DNS server on the Proxy system as a Forwarder. This will pass requests about systems on the Internet to the Proxy system DNS. The Proxy system DNS can reach the rest of the Internet to resolve these requests. The responses from other DNS servers on the Internet will come back to the proxy server DNS. The Proxy DNS will be passed the responses back to the interior DNS server for delivery to the requesting system.

In the DHCP configuration the Scope is set with an IP address range of 192.168.10.3 through 192.168.10.254, with a netmask of 255.255.255.0. The Router address is set to 192.168.10.1, the DNS server setting is set to point to the interior DNS server at 192.168.10.2, and the Domain Name is set to Company.Com. This will allow internal systems to be automatically configured using the DHCP protocol. By loading and using WINS, these dynamically defined systems will be registered in DNS and accessible by other internal systems.

Systems on the interior, protected network are loaded with the client TCP/IP software from the Microsoft Proxy Server. This allows them to use any standard TCP/IP applications to communicate through the Proxy, if their user ID or system is granted that privilege. They are configured to use DHCP for TCP/IP configuration, and are set to use the WINS server on the Interior DNS system.

Standard World-Wide-Web browser software, such as Microsoft Internet Explorer, Netscape Navigator, and Mosaic, can be loaded on the interior systems. Because the TCP/IP client software from the Microsoft Proxy Server is in use, special proxy configurations in the browsers should not be needed.

The E-Mail client applications on interior systems are set to use 192.168.10.1, the interior address of the Proxy server as a Post Office system and SMTP server. Incoming mail will be received by the Proxy system and held there to be retrieved by the recipient. The client systems contact the Proxy to pick up and drop off mail.

Previous Section Previous Page Query/Search Next Page Next Section