Announcement

Collapse
No announcement yet.

Open Firewall Ports for Multiple IPs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Open Firewall Ports for Multiple IPs

    We have a half dozen or so manufacturing control PCs on our factory floor that we are setting up for remote access. Our controls consultant is using software on his laptop that can connect with each of the PCs. The problem is, how do I open the firewall ports (9 of them for his various software packages) such that he can go directly to any of the PCs? We've tried port forwarding but that only gets him to one of the factory floor computers. At this point I am looking at purchasing a dedicated public IP that I would connect to a dedicated router and, in essence, take down the firewall on that router but only turn the router on when we need to enable remote access. Is there a better solution? Does anyone know of a router that allows this type of port opening?

    Thanks

  • #2
    Re: Open Firewall Ports for Multiple IPs

    Well you really need to post more info.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Open Firewall Ports for Multiple IPs

      The factory computers are Allen Bradley Controllers. They have their own subnet with IPs from .120-.140. The remote VPN user is the company's Allen Bradley consultant and he uses 3 different programs (from what I understand) to inspect/control/re-program the Allen Bradley PCs. Their software support tech has given me nine ports he says I have to open for their software to connect to the Allen Bradly controllers (PCs). We successfully setup port forwarding to a single IP for all nine ports but now the consultant insists on accessing all of the controllers directly. Unfortunately, I can no longer get any response from the software support techs to find out how they normally handle routing to multiple controllers/PCs.

      The only two concepts I could come up with were: 1) to purchase a separate public IP for the company's T1 line and connect that IP to a dedicated gateway/router to connect the Allen Bradley subnet to the internet. Then open the firewall but only turn the gateway/router on when we wanted to give remote access to the consultant. 2) install the Allen Bradley software on a local machine and enable RDC for that local machine. The problem with this approach is the Allen Bradley software involved will run between $5K-$10K.

      If there are other specifics you need let me know.
      Last edited by Bob Goodman; 18th August 2008, 18:54.

      Comment


      • #4
        Re: Open Firewall Ports for Multiple IPs

        Can you make a drawing how this should work and where everything is located?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Open Firewall Ports for Multiple IPs

          There are a number of solutions you could try:

          1. Follow your idea of getting another dedicated ip block for the T1. Don't purchase a new router/firewall for this block though, let the current router/firewall handle routing and NAT'ing the traffic to and from the AB machines. You'll need to configure a one-to-one NAT for each of the AB machines to a valid public ip in this new block.

          2. Install a "gateway" machine running XP or Vista that the AB personnel can connect to via RDP. Once connected to this gateway machine they can then connect from it to the AB machines using RDP (if they're running XP or Vista) or by using a program like DameWare, VNC, PCAnywhere, NetMeeting, etc. The advantage to doing it this way is that you don't need the additional ip block, routing, NAT'ing, etc. You have less exposure through the firewall since you're allowing access only to the gateway machine, not the AB machines. IMHO, this is the simplest, most cost effective way to solve your problem.

          Comment


          • #6
            Re: Open Firewall Ports for Multiple IPs

            Joeqwerty - Thanks for input. A few questions on your ideas: 1. I already have an extra router/firewall on hand (a Netgear FVG318 ), is there any reason not to use it? So, for the NATing I point each of the AB controllers IPs to our new additional internet IP rather than point to the consultants IP? 2. I tend to like option 2 more as well, the problem is the software the consultant runs on his laptop would then have to be installed on the "gateway" PC which is what they want to charge us $5k-10K for.


            Dumber - The drawing will take a bit -- we have multiple buildings and a couple of subnets involved. I'll see if I can come up with something.

            Thanks.
            Last edited by Bob Goodman; 18th August 2008, 21:25.

            Comment


            • #7
              Re: Open Firewall Ports for Multiple IPs

              I think their are other ways but I need to see more...
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Open Firewall Ports for Multiple IPs

                My response to your response:

                1. My reasons for not using the extra router and getting an additional ip block is - why make things more costly and complicated than they need to be.

                2. Another option is to make the "gateway" machine into a RRAS machine. The consultant makes a VPN connection to the gateway machine which then gives him access to the local network where the AB machines are. That way he has a connection to your network with his laptop and can run the software from his laptop. You only need to NAT one of your current ip addresses to the gateway machine.

                Comment


                • #9
                  Re: Open Firewall Ports for Multiple IPs

                  Thanks for all the help but after lots of delays they've decided to put this project on an indefinite hold. My research was showing that most companies needing remote access to their Allen Bradley controllers were using the second option joeqwerty recommended and it was the one management preferred for security reasons. However, the costs for the Allen Bradley software just pushed this to the back burner.

                  Thanks again for all of the great input.

                  Comment

                  Working...
                  X