Best practice for ASG 320 setup for LAN & Public IP services...

dgungadoo · #1 (**permalink**) 06-10-2009, 05:01 PM

Greetings, I just acquired an ASG 320 running Firmware 7.403 and Pattern version 9785.

I have some questions regarding the setup of the ASG-320 box. I want to configure one of the Interface ports to DHCP Local IPs (192.168.0.***) and another Interface port for a bunch of Servers under Public IPs (both connected through 2 separate Switching Hubs).

What is the best practice ?
1) Assign 1 port for the Public IPs and Bridge it to the WAN port
2) Assign Private IPs to the Servers, and NAT them individually

These servers do Web, FTP, Oracle databases, SQL databases & audio streaming services.

I notice the training videos on the Astaro support, doesn't deal with Public IPs behind their units.

BAlfson · #2 (**permalink**) 06-10-2009, 06:58 PM

Probably option 2. How many public IPs would you need to DNAT?

BarryG · #3 (**permalink**) 06-11-2009, 12:50 AM

Depending on how big your public subnet is and if you can afford to divide it, you can create a small /30 external subnet, and then use the rest of your subnet in the DMZ.
For this to work, you'd have to get your ISP to route all your subnet through your firewall IP on the /30.

I'm doing this with a class C on our v6 firewall.

On our new firewall, I was ordered to NAT everything, which is currently a huge pain. It may be less painful in upcoming Astaro versions.

Barry

dgungadoo · #4 (**permalink**) 06-11-2009, 02:08 PM

Quote:

Originally Posted by BAlfson

Probably option 2. How many public IPs would you need to DNAT?

Thanks for the suggestion. I have around 24 Public IPs.
It is critical for my Private LAN to have gigabit access to the Public IPs, hence the main reason why I bought a ASG 320 instead of the cheaper ASG 220.

So my topography would be:

.......ISP
........|
..Cisco Router
........|
......eth1
Astaro ASG 320
...../............\
.../...............\
eth0............eth4
.|...................\
LAN..............Public (DNAT)
.|......................\
192.168.0.x.......192.168.1.x

I configure the ASG 320's ports as follows:
eth0 is 192.168.0.1 & set to DHCP from 192.168.0.2 to 254
eth1 is set with a 1 Public IP
eth4 is 192.168.1.1 & set to DHCP from 192.168.1.2 to 254
The Local IPs of the servers are Static MAC/IP mapped
Each relevant port of the servers (i.e. 80 for Web, 21 for FTP) is DNATted over from a Public IP to the relevant 192.168.1.x

Can I presume that when a LAN (192.168.0.x) computer accesses the Public IP address of the DNATed section, they'll talk at gigabit speeds ?

BAlfson · #5 (**permalink**) 06-11-2009, 05:48 PM

OK, a few thoughts...

Looks like great fundamental ideas.

The one additional best practice I see would be to choose internal ranges in 172.16.0.0/12 so that you can avoid conflicts with VPNs for anyone working from home.

As for speed, you probably have enough power in the 320 to run the HTTP/S proxy from your internal users to your server farm without slowing down that traffic.

You also mention FTP; if you are uploading a lot from the internal network to the server farm, you might want to disable the IPS checking of that traffic if you notice slowdowns.

Finally, if you have heavy public users of FTP downloads, you might consider setting QoS on the external interface to reserve enough bandwidth for the surf requests of your internal users.

Cheers - Bob

BarryG · #6 (**permalink**) 06-11-2009, 11:57 PM

Don't forget Masquerading and/or SNAT for your DMZ, and Masq for the LAN.
Otherwise looks fine + what Bob said.

Barry

dgungadoo · #7 (**permalink**) 06-12-2009, 09:56 PM

Quote:

Originally Posted by BAlfson

172.16.0.0/12

Thanks for your recommendations guys... I'll give it a spin.