0

I am looking to set up a small network for a client which would be isolated from his primary network. (I'm hoping to set-up the additional network as VMs on the primary network.)

I've instructed the client to request a bunch of static ip addresses from his ISP, but I'm not sure how to proceed with setting this up.

What hardware will I need and how do I go about the configuration?

Heavy security is not my concern. All that's really required is that web requests from the two networks be presented to the outside world with different ip addresses.

Isaac Kleinman
  • 103
  • 3
  • If this is externally facing, a Cisco ASA is a great security appliance, maybe a 5505/5510 depending on what your needs are; Cisco Routers also come with pretty elaborate security features. If it's just a separate network within their current one you could use other options. Once you have the addresses routed in you would want to set up a DMZ most likely. That being said, this is a vague question - what will the network needs be, what level of security is needed - why do they need a lot of static IPs? – Abraxas Aug 25 '14 at 15:04
  • Can you elaborate on what/why you need an isolated network? Will help immensely in answering your question accurately. – gravyface Aug 25 '14 at 15:06
  • I don't need to get crazy with security. All that's really required is that web requests from the two networks should be presented to the outside world with different ip addresses. – Isaac Kleinman Aug 25 '14 at 15:07

1 Answers1

1

Bit of an odd request, but really any decent business class firewall should be able to permit custom NAT rules so that network A's clients are source NAT'ed as a different IP as network B's clients.

If you're getting a routed subnet(s) from the ISP, then you'll need to configure proxy ARP or "virtual IPs" on the outside interface to "answer" or masquerade for requests to/from one of these subnets that are now getting routed to your firewall/router.

Can the public IPs be contiguous or do they have to appear to be different? If the former is ok, just ask the ISP for static /29 (5 IPs) and save yourself some configuration grief. You can then light up a virtual IP on the WAN interface and writing a NAT rule for network B should be pretty straightforward.

EDIT:

Haven't confirmed, but it appears as though the business/decision maker of company A doesn't want any liability of company B's web surfing habits.

If that's the case, the best solution is to get an entirely different Internet connection registered as company B. Solves the different IP problem, and in reality, affords better "CYA" protection than a routed subnet registered under the same business.

gravyface
  • 13,947
  • 16
  • 65
  • 100
  • Out of curiosity do you have any links to explain how you control the outgoing traffic IP? I've only done this on a small scale and would NAT an IP to an internal device but all outbound traffic left through the Gateway IP on the modem? – Abraxas Aug 25 '14 at 15:18
  • This would really be vendor-specific information. What firewall are you using? – gravyface Aug 25 '14 at 15:20
  • Oh, I'm not looking for a specific document for specific equipment, I'm just wondering if there's a term for "force outbound traffic to go over IP 'x' instead of IP 'y or z'. – Abraxas Aug 25 '14 at 15:22
  • @gravyface: Is it really an odd request? I thought it was common for a parent company to seek to isolate two child operations. – Isaac Kleinman Aug 25 '14 at 15:22
  • @gravyface: As a networks n00b, I'll have to research some of the terms you mention, but the information does appear helpful. – Isaac Kleinman Aug 25 '14 at 15:23
  • @Abraxas it's really just NAT, but you'll run into terms like proxy ARP and policy (source) routing, depending on what you're doing and how it's implemented. – gravyface Aug 25 '14 at 15:25
  • @IsaacKleinman isolating networks (webservers in a DMZ, company A from company B, department A, from department B) is Standard Operating Procedure; NAT'ing clients out as different public IPs isn't really something I'd see as being all that useful, unless maybe you're concerned with SMTP blacklisting or something, but if you have control over edge network, you might as well put the same security policies in place to equally protect both. – gravyface Aug 25 '14 at 15:28
  • @gravyface: if my assumption is correct, the client's concern is that a particular third-party they interact with over the web will assume company A and company B are the same concern if they use the same public-facing ip addresses. – Isaac Kleinman Aug 25 '14 at 15:32
  • @IsaacKleinman see my edit. Getting a different Internet connection is the correct answer here. – gravyface Aug 25 '14 at 15:34
  • @gravyface: but the rest of the steps you describe remain the same? – Isaac Kleinman Aug 25 '14 at 15:49
  • 1
    @IsaacKleinman with a secondary Internet connection, you'd follow a typical multi-WAN setup (but forgoing the failover/load balancing bit), but you'd be looking at policy (source) routing instead where you'd be actually creating routes based on source address(es) to determine which WAN interface the traffic leaves; likely the NAT rules would be auto-created at that point, but this is all vendor-dependent. – gravyface Aug 25 '14 at 16:05
  • @gravyface: So I need to use something like [this](http://www.amazon.com/TP-LINK-TL-R470T-Broadband-Changeable-Ethernet/dp/B005SYQBN8/ref=sr_1_1?ie=UTF8&qid=1408983046&sr=8-1&keywords=multi+wan)? – Isaac Kleinman Aug 25 '14 at 16:13
  • @IsaacKleinman you'd have to check the manual/specs to see, but $55 router to support two businesses? Yikes. – gravyface Aug 25 '14 at 16:16
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/16690/discussion-between-isaac-kleinman-and-gravyface). – Isaac Kleinman Aug 25 '14 at 16:17