I have a block of 5 static IP's, and am going to be running a exchange and web server on-site. I am wondering if I should separate the web server IP, Mail IP, and internal network IP. What would the best practices for separation of the internal and external networks be?
The servers are going to be in a DMZ and behind our firewall.
I'd separate all these services. It's more secure in different ways:
What I do not understand is what you mean with internal IP? Is it for NAT? If so you should indeed separate that one as well.
Also take care of your firewall rules depending on the service. Always white list instead of blacklist. If one service needn't see another, then block it.
The bestest of best practices (see also: most paranoid) uses a separate DMZ for each function. In your case, that would be a separate DMZ for the Webserver and another one for the Exchange infrastructure. Each device only gets a limited view of the internal network and importantly can't see the other DMZ devices as well.