I have a question regarding Subnets. I try to setup NAT for server in Firewall's DMZ so it can connect to database server in firewall's LAN.
This is from the firewall's manual:
"Assign a subnet mask in the DMZ Subnet Mask field. The LAN and DMZ can have the same subnet mask, but the subnets must be different. For instance, the LAN subnet can be 192.168.0.1 with a subnet mask of 255.255.255.0, and the DMZ subnet can be 172.16.18.1 with a subnet mask of 255.255.255.0"
I read your Subnet Masks And Their Effect article.
My questions are:
1) is 172.16.18.1 fall in the network range for Class B? How can a class B be used with Class C ' Default subnet mask?
2) Is it right that the DMZ and LAN should be on different Subnet/Network?
3) For hosting 3 domains on one IIS 5 server, is it right that I should configure 3 LAN's IP address on the Windows 2000 server (with one network card) and then configure One-To-One NAT that bind 3 public IP addresses with 3 LAN IP addresses?
Thank you in advance for your help
The administrator has disabled public write access.
Question Regarding NAT and Subnets
14 years 5 months ago #63
1) the 172.16.18.1 IP Address does fall into the Class B range and the default subnet mask is 255.255.0.0.
The IP Addresses indicated on the manual as you posted, are clear examples to help you understand one type of way you can setup the machines in the DMZ zone.
The Class of IP Addresses you use in your DMZ or LAN zone depend on your network setup. If there is a gateway of some sort that hides the whole network from the internet, then your free to choose whatever class and subnetmask that suites your needs, which is the case for the example you provided.
The method of using a different subnetmask other than the default is called CIDR, and is covered on this site.
Because a Class B network gives you more IP Addresses than what you need, you divide that Class B network into smaller ones by using a different subnetmask. All ISP's use this method to help preserve the availability of IP Address on the Internet, and companies now use this method for the same reason, but to preserve IP addresses within their own private network and also to make it easier to manage.
2) DMZ zones MUST be on a different subnet or network. Having them on the same defeats the purpose of their existance.
Please read the DMZ zone page for more information.
3)The simplest way to host multiple domains is to point the NS (name server) records in the dns configuration panel of the company which they were bought to the public ip address of the windows 2000 server. Of course there are a few different options here... you can either point only the Cname www records (alias) to the w2k server so the server only deals with the websites for these domains, or you can choose to move the whole DNS structure for these sites to the win2k server, in which case you will need to setup a fully functional DNS server for these domains.
Let us know if there are certain areas which are still unclear.