Solved: New to Network - Is this topology and understanding correct ? (please help)

SJ K · ‎02-18-2015

Hi all,

I am new to network and is currently taking my ICDN1 course, but have no actual hands-on experience beside the short labs lesson in class..

Hence, I will like to take this opportunity to check with gurus here for their advices and to see if my understanding is correct or wrong.

Please pardon me if I ask/make any silly questions or wrong theories.

=========================================================

Refer to below diagram (which I drawn)

Assumptions

Node 1 and Node 2 need to have public IPs assigned by ISP.
Internal and mangement network not reflected Security not a concern, NAT/DMZ not required
Firewall and Router are 2 separate physical device

Questions

Q1) is my toplogy and IPs assignment correct base on the assumption above ?

Q2) do we need to assign IPs to Fe0/0 for both firewall and MyRouter ? Must it be using the ISP issued IPs or can it be internal IPs ?

Q3) Can we consider MyRouter Fe0/0 and below = 1 broadcast domain/network segment or
MyRouter Fe0/0 to Fe0/0 firewall = 1 network segment and Firewall Fe0/1 and below = another network segment ? and why ?

I am thinking of how does a IP packet transfer from node1 to the internet. Let's say node1 send a packet to 8.8.8.8

[src ip=202.156.1.4][dst ip=8.8.8.8][src mac=a.b.c.d][dst mac=a.b.c.f] (packet going from Node1 to the gateway/firewall)
[src ip=202.156.1.4][dst ip=8.8.8.8][src mac=a.b.c.g][dst mac=a.b.c.h] (packet going from the Firewall to the MyRouter)

Q4) How does firewall know which interface it must exit on the next hop ?
Is there a routing table in Firewall ? Does the Firewall has a default gateway , or it has a default route ?

Q5) Since the firewall is connected to MyRouter directly, how does it know the MAC address of MyRouter and vice versa ? Can we do ARP request without going through switch ? Is the MyRouter physically connected to the switch or to the Firewall ?

Hope some kind gurus here can enlightened me.

Thanks

Jon Marshall · ‎02-20-2015

Q1) Yes

Q2) Well yes but you don't always get a /24 from your ISP

Q3) Yes you can but be aware whenever you subnet down you lose IPs because each subnet needs a subnet address and a broadcast address.

see Q5) for more details :-)

Q4) You do need mac addresses for delivery of packets within the same IP subnet but your router and firewall interfaces have these so a straight connection between the two would work.

You don't need a switch for arp requests and replies to work.

Often people use a switch in between but it is a separate switch not the internal one because of security issues.

Yes the firewall also has a routing table.

Q5) You can assign public IPs to your LAN devices and yes then there would be no need for NAT on the firewall but you just don't get enough of them usually to be able to do that.

So by far the most common setup is private IP addressing on your LAN and then NAT on your firewall (or router) for internet access.

There are different types of NAT. For internal clients you can hide all their IPs behind just one public IP (depending on the number of internal IPs obviously) and the public IP used here is usually the one on the outside interface of whichever device is doing the NAT.

If you have servers you want to give access to from the internet you have to have a static permanent translation and these are the ones where your other public IPs in the block you were assigned usually get used.

Hope that's answered your questions.

Jon

View solution in original post

Jon Marshall · ‎02-20-2015

In your latest example no NAT is needed because your LAN devices are using public IPs.

You wouldn't want the firewall to NAT here because it is using private IPs then the router would have to do NAT again.

Remember private IPs are not routable on the internet.

All that NAT would be pointless because you are already using public IPs on your LAN.

Yes the routing would work as long as the firewall had a default route with the next hop IP of the private IP on the router and the router had a route to the public IP subnet in use in your LAN with a next hop IP of the firewall outside interface private IP.

Jon

View solution in original post

SJ K · ‎02-19-2015

Anyone ? :(

Jon Marshall · ‎02-19-2015

The firewall in your diagram is a L3 hop.

So you cannot have the same IP subnet on the outside of the firewall and on the inside as well.

So no, the way you have set it up will not work.

There are ways to do it but it depends on what requirements you have been given.

Jon

SJ K · ‎02-20-2015

Hi Abbas and Jon,

Thanks for replying.

Hi Jon,

Q1) Can you elaborate on the meaning of "L3 hop" ? Do you mean it is doing routing and hence the inside and outside of the firewall cannot belongs to the same subnet ?

In that case, as per my questions in the original thread

Q2) do we need to assign IPs to Fe0/0 for both firewall and MyRouter ? Must it be using the ISP issued IPs or can it be internal IPs ? (can i use internal IPs (e.g. 192.168.0.1 and 192.168.0.2 then)

Q3) Since the firewall is connected to MyRouter directly, how does it know the MAC address of MyRouter and vice versa ? Can we do ARP request without going through switch ? Is the MyRouter physically connected to the switch or to the Firewall ?

Regards,
Thanks

Jon Marshall · ‎02-20-2015

Yes, that's what I meant by L3 hop.

In terms of IP addressing it depends on what the ISP has given you. Often you get two blocks, one for the link between the outside of your router and the ISP router and one for use for the connection between the outside interface of your firewall and the inside interface of your firewall.

The ISP router would then have a route for the block in use between your firewall and router pointing to the outside interface of your router.

If you only get one block and you can't subnet it down then yes you can make the link between the firewall and your router a private address subnet.

The main thing here is that you then need to do the NAT for internal clients on the router not the firewall and it is a good idea if possible to have all things on the firewall eg. access control, NAT etc.

I don't really understand what you are asking in your third question. The router should definitely not be connected to the internal switch. So the firewall does not use the switch to get to the router.

Like I said before you can't use the IP addresses the way you have and that is probably what is confusing you in terms of traffic flow.

Jon

SJ K · ‎02-20-2015

Hi Jon,

Thanks for shedding some light on my questions

In terms of IP addressing it depends on what the ISP has given you. Often you get two blocks, one for the link between the outside of your router and the ISP router and one for use for the connection between the outside interface of your firewall and the inside interface of your firewall.

The ISP router would then have a route for the block in use between your firewall and router pointing to the outside interface of your router.

Q1) Let's say the 1st block will be 202.123.123.1 and 202.123.123.2 that will be the IP between my external interface of MyRouter and the ISP router -> am I right ?

Q2) For the 2nd block based on my example, it will be 202.156.1.0/24, am i right ?

Q3) Can i further subnet this block (202.156.1.0/24) so that I can have a different subnet between MyRouter internal interface fe0/0 <-> MyFirewall external interface fe0/0 and another subnet for MyFirewall internal interface fe0/1 and below ?

In this case, I can have 2 different subnet so that routing and occur between MyRouter to MyFirewall ?

Q4) Actually with regards to the question on whether MyRouter needs to be connected to the switch is because from what I have understand, a packet need to have both the L3 ip addresses and L2 mac addresses to be send out.

Since the firewall is forwarding a packet from node1 to the MyRouter, it needs to know MyRouter mac address, so I am asking if an ARP request can be done directly from the connection from MyFirewall to MyRouter..

Actually, is there a routing table inside the Firewall as well ? how does it knows where to forward the packet out ?

Q5) I understand that it will be good to do NAT and I have been hearing from people that assigning public IPs on the nodes are bad. But why ?

If I have assigned public IPs on the nodes, doesn't the packets still go through the firewall for whatever inspection that is needed as compared to NAT ?

Jon, just a shoutout and thanks on the replies that you have given me as I do not really have anyone to ask except for the forums around.

Thank you.

Regards,
Noob

Jon Marshall · ‎02-20-2015

Q1) Yes

Q2) Well yes but you don't always get a /24 from your ISP

Q3) Yes you can but be aware whenever you subnet down you lose IPs because each subnet needs a subnet address and a broadcast address.

see Q5) for more details :-)

Q4) You do need mac addresses for delivery of packets within the same IP subnet but your router and firewall interfaces have these so a straight connection between the two would work.

You don't need a switch for arp requests and replies to work.

Often people use a switch in between but it is a separate switch not the internal one because of security issues.

Yes the firewall also has a routing table.

Q5) You can assign public IPs to your LAN devices and yes then there would be no need for NAT on the firewall but you just don't get enough of them usually to be able to do that.

So by far the most common setup is private IP addressing on your LAN and then NAT on your firewall (or router) for internet access.

There are different types of NAT. For internal clients you can hide all their IPs behind just one public IP (depending on the number of internal IPs obviously) and the public IP used here is usually the one on the outside interface of whichever device is doing the NAT.

If you have servers you want to give access to from the internet you have to have a static permanent translation and these are the ones where your other public IPs in the block you were assigned usually get used.

Hope that's answered your questions.

Jon

SJ K · ‎02-20-2015

Hi Jon!

Marvelous reply, simple and straight to point !.

But just 1 final bit from your initial reply

If you only get one block and you can't subnet it down then yes you can make the link between the firewall and your router a private address subnet.

The main thing here is that you then need to do the NAT for internal clients on the router not the firewall and it is a good idea if possible to have all things on the firewall eg. access control, NAT etc.

Q1) Why do we need to do NAT on the router level if it is a private subnet between the MyFirewall and MyRouter ? (Assuming that my nodes will be using public IP instead, will the setup below work ? )

Q2) Is the MyFirewall able to route from a private subnet to a public subnet as per my illustration below in red (updated diagram)

Regards,
Noob

Jon Marshall · ‎02-20-2015

In your latest example no NAT is needed because your LAN devices are using public IPs.

You wouldn't want the firewall to NAT here because it is using private IPs then the router would have to do NAT again.

Remember private IPs are not routable on the internet.

All that NAT would be pointless because you are already using public IPs on your LAN.

Yes the routing would work as long as the firewall had a default route with the next hop IP of the private IP on the router and the router had a route to the public IP subnet in use in your LAN with a next hop IP of the firewall outside interface private IP.

Jon

SJ K · ‎02-20-2015

Hi Jon,

I just want to declare - you are now my official idol in cisco forum and I am following you.

Thanks a million, trillion, zillion times!

Regards,
Noob

Jon Marshall · ‎02-20-2015

No problem, glad to have helped.

Jon

Abbas Rizvi · ‎02-21-2015

The only consideration I would say is that you should use private reserved IP space on your lan and save the Global IPs for NAT through the firewall. Either way it will work but from a design, security and cost perspective, a block /24 address IPs can be a costly add-on from the ISP and directly opening your nodes with a global IP is a security risk. Maybe it may not apply in your case, but what if you have more than 254 hosts on the lan.

Just my 2 cents.

SJ K · ‎02-21-2015

Hi Abbas,

Thanks for reverting and appreciate your advices but can you give some light on besides the design & cost + amount of available IPs concern, why opening nodes with a global/public IP is a security risk ? as the traffic still go through the firewall for checking isn't it ?

I understand with NAT, its like adding an additional layer infront of your nodes actual addresses, but can you list some real examples in which having a public ip on the node instead of NAT will cost security risk ?

Regards,
Alan

Jon Marshall · ‎02-22-2015

Alan

I hope Abbas gives his perspective but people have different views on whether NAT helps security or not.

I have seen some argue you don't need a firewall and all you need is NAT. The idea behind this is if your internal hosts are using private IPs then they cannot be reached from the internet because they are not routable.

If you use public IPs in your LAN then they can be reached.

Personally I think it does add a level of protection you wouldn't otherwise have but I would not go far as to say you don't need a firewall.

Security is best when it's layered and NAT is just one element of that.

A firewall does a lot more than just NAT and for most companies it is an essential part of their security.

Jon

SJ K · ‎02-22-2015

Hi Jon, Abbas,

Thanks for the feedback and I will keep them in mind!

Regards,
Alan