An educational institute has a single router, referred to as the gateway router, connecting its internal network to the Internet. The institute has the public address range 184.108.40.206/16 and the gateway router has address 220.127.116.11 on its external interface (referred to as interface ifext). The internal network consists of four subnets:
A DMZ, which is attached to interface ifdmz of the gateway router and uses address range 18.104.22.168/24.
A small network, referred to as shared, with interface ifint of the gateway router connected to three other routers, referred to as staff_router, student_router, and
research_router. This network has no hosts attached (only four routers) and uses network address 10.3.0.0/16.
A staff subnet, which is for use by staff members only, that is attached to the staff_router router and uses network address 10.3.1.0/24.
A student subnet, which is for use by students only, that is attached to the student_router router and uses network address 10.3.2.0/24.
A research subnet, which is for use by research staff, that is attached to the research_router router and uses network address 10.3.3.0/24.
In summary, there are four routers in the network: the gateway router, and routers for each of the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student, and research.
There are two servers in the DMZ that all can accept requests from the Internet: a web server supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and research subnets can access the web server; members of the staff subnet only can access the email server but using IMAP.
The gateway router also runs a stateful packet filtering firewall and performs port address translation. In addition to the DMZ setup as described above, security requirements for the educational institute are:
External Internet users cannot access any internal computers (except in DMZ and as stated in other requirements).
Staff, students and researchers can access websites in the Internet.
The researchers (on the research subnet) run a server for sharing data with selected research partners external to the educational institute. That server provides SSH access and a specialised file transfer protocol using TCP and port 1234 to the partners. The server has internal address 10.3.3.31 and NAT is setup on the gateway router to map the public address 22.214.171.124 to the internal address. Currently there are two partner organisations that can access the server, and they have network addresses: 126.96.36.199/24 and 188.8.131.52/24.
The professor that leads the research staff also wants access to the data sharing server while they are at home. At home that professor uses a commercial ISP that dynamically allocates IP addresses in the range 184.108.40.206/16.