firewall/vpn appliance needed?

Angelos_n · 16 Jun 2011 at 16:54

Hey all,

im a bit confused at the moment, our current setup is simply 1 box running everything, as when it was set-up there was only 3 employees. The box did exchange,dns,dhcp ... everything. Now with our impending office expansion and a proper I.T Budget i started thinking, we cant just have all our boxes internet facing etc.. as currently the one box is sat behind a standard router being DMZ out to the world. Now with our new line we get 16 lovely IP addresses that will be used for 2-4 servers depending on the whole firewall/vpn appliance needed.

Now my questions, for an office install like this do i need something like the ASA 5500 series or the juniper equivalent. If so how would i go about setting up the external IP's to route to the specific boxes? is it done through NAT on the ASA, also would that mean that the DNS server would sit outside the firewall? as it would have to route the web traffic to the web server behind the firewall? as you can tell ive not used a ASA at all, i had a small amount of experience on a PIX a while back but i didnt learn enough on it.

so my current idea is this:

Internet -- Firewall/VPN gateway -- DNS,DHCP,AD server -- OFFICE NETWORK incl exchange server and webserver/smtp etc...

or have i got this all wrong??

my confusion sets in when i think bout mail

as the DNS server is on the inside of the network, how would someone be able to mail to [email protected], as all the MX records are on the inside of the firewall. Also how would i be able to "promote" the DNS server so that these things can be resolved.

Also how would i go about giving public AND private IP's to the boxes? does each box need 2 network cards? 1 connected to the switch the firewall is connected to and 1 connected to the office network.

As you can tell im struggling. Luckily i have got time to sort this.

Many THanks

Angelos

if someone can help i will be very grateful

Also if someone can give me an idea about antivirus, i was thinking of going with nod32 for the clients and mail server, but whats the gateway one for??

paradigm · 16 Jun 2011 at 17:05

You say you've expanded, but just how large are we now talking? A 5505 or 5510 would be perfect for your needs however.

Angelos_n said:
as the DNS server is on the inside of the network, how would someone be able to mail to [email protected], as all the MX records are on the inside of the firewall. Also how would i be able to "promote" the DNS server so that these things can be resolved.

You'd have your internal DNS server for internal resolution and forwarding to root servers (or upstream DNS) for external lookup, and place your MX records on a public facing DNS server, such as whoever is the host or registrar of your domain.

Angelos_n said:
Also how would i go about giving public AND private IP's to the boxes? does each box need 2 network cards? 1 connected to the switch the firewall is connected to and 1 connected to the office network.

Not sure why you would want to. You'd just pass through from external interface on whatever firewall you end up with, to an internal IP on whichever port and server you wish you use. So say you have 16 WAN addresses, you would just NAT rule one of them on port 80 to your webserver's internal IP.

Angelos_n · 16 Jun 2011 at 18:42

Ahhh thanks, so its as my "diagram" above shows. Thanks youve answered all my questions, i completely forgot about the registrars DNS server hehe.

Thanks a lot paradigm, you seem to have helped me a lot recently

As in my other thread, weve expanded to 10 employees and moving to singapore.

Thanks again i got it now.

atomiser · 16 Jun 2011 at 22:52

i'm a juniper netscreen fan. if it were me i would be putting something like an ssg20 at the perimeter of a network that sort of size. if you wanted the device to perform av / anti-spam / web filtering then it is capable of doing this using kaspersky / sophos / websense respectively - all on annual subscription basis. they are really straightforward to setup, and very solid pieces of kit. as paradigm says - your dns is split internal vs. external, and if you want to front internet facing services via a dmz then you can do this on the netscreen using mapped ip functionality (juniper speak for 1:1 NAT). hope this helps.

Angelos_n · 18 Jun 2011 at 18:19

Just to confirm, both the ssg20 and ASA 5505 will work with a direct ethernet connection i.e ethernet WAN port, as thats how the net is provided - its fibre, then ethernet at the building.

atomiser · 18 Jun 2011 at 18:45

can't speak for the asa as i don't really know the cisco product set. the ssg20 only has ethernet on-board though; 5 ports, that you can do with as you wish - individual security zones, bind a few together into a switch, etc. there are two expansion slots if ever you needed non-ethernet wan presentation (e.g. adsl, serial, etc) or gigabit ethernet as copper or fibre, etc. hope this helps.

Angelos_n · 18 Jun 2011 at 21:23

sounds brilliant, 1 more thing, you wouldnt know where i could get one of them in singapore (trust it to me if it breaks any rules) as my google-fu is weak atm, i cant even find a decent D**L Server distributor or anythign out there

paradigm · 23 Jun 2011 at 07:32

Probably easier to get them shipped from HK or somewhere closer to China/Japan.

When we were kitting out our Philippines operation we ordered equipment mainly from HK based suppliers.