ClioSport.net

Register a free account today to become a member!
Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

  • When you purchase through links on our site, we may earn an affiliate commission. Read more here.

NAT - between two organisations



Donny_Dog

ClioSport Club Member
  Jim's rejects
I'm going mad. I am unsure if I have got this right.

We have an internal range: 192.168.0.0/16

Another organisation that connects to us uses 163.0.0.0/8 and until now, no problems.
The other organisation now states that it will start using 192.168.0.0/16 as well.

So we NAT'd our network onto theirs like so:

192 > 212 (nat pool range) > 163 > 192

Everything worked fine.

Now they would like to recreate this point to point and turn it into a coin, with other organisations involved.

Their plan is:

192 > 163 (some /30 address as part of their wider range) > 163 > 192

I've highlighted that the network would be discontigous if this was to occur - would I be correct?

As I see it, they are asking us to NAT our 192 range to a 163 address.
lets say: 163.160.254.1 255.255.255.252 is our external IP. 163.160.254.2 255.255.255.252 is their facing IP address.

with inside thier network they use 163.160.0.0 255.255.0.0. And somewhere else they use 192.168.0.0 for telephony.

I dont understand how you can route our 192 traffic to a designated 163 address and their 192 traffic to another! Thats why we used the 212 range at the beginning in order to represent our network inside theirs without this issue.

Apologies if you don't understand. I might not have typed that very well.
 

Donny_Dog

ClioSport Club Member
  Jim's rejects
Think I understand their plan a bit better now:

192 > 163 (some /30 address as part of their wider range) > 163 > 192
Translate here to 212 to jump the /30 p2p

I though it was missing something.
 

Cookie

ClioSport Club Member
I don't understand why most companies use /8 or /16, too many bloody addresses. We're moving away from /16 to 24 at the mo (because the previous network team may have been f**king retarded)
 
  Rav4
/24 suits a lot of businesses requirements.

/8/16 is just overkill.

Sometimes, it's best to split it by department or floor. but I guess I am lucky, as we don't have more than 200 employees per building. Also not the biggest fan of 192.168 for businesses, even small ones but I am just being pedantic about that.
 

Cookie

ClioSport Club Member
We use the 10. (and 172. in places) range because it looks neater. 192. for our transit and test networks though.
 

Donny_Dog

ClioSport Club Member
  Jim's rejects
We're not a 'normal' organisation though neither is the one that is connecting to us (10,000 active nodes), its all on a grand scale here.

I've had a think about what the proposal will be and I still cannot see how it will work.
We have an ASA 5510 and I have had NO involvement with it in the past - so forgive my ignorance in how NAT/Interfaces are configured.

The LAN interface is 192.168.6.9 and the current external interface is 212.148.130.1
To reach the network: 163.160.0.0 we've got a static route to use the 212 interface as its gateway.

With their idea: we'd have an internal as 192.168.6.9 as before.
yet the external interface would be 163.160.255.1 and we'd retain the static route to use this interface as the gateway to reach 163.160.0.0.

But as I mentioned, they use 192's somewhere further in their massive network.

I guess I am struggling to understand what will happen. Will our 192 traffic be represented inside their network with this 163.160.255.1 address? yet they use the 163.160.0.0/16 all over their network + 192.168.0.0/16 somewhere. I just can't see how their routers will know to route our 192 traffic and thier 192 traffic without NAT'ing us to a completely different range!!! (hence we used the 212 range in the old setup).

I just dont understand it, I guess. Or either I do understand it, and they dont.

Help.
 
  Rav4
We use the 10. (and 172. in places) range because it looks neater. 192. for our transit and test networks though.

10.x is certainly quicker to type.

I do the same, for instance;

10.1.10.0/24 SITE A SERVERS
10.1.11.0/24 SITE A WORKSTATIONS
10.1.12.0/24 SITE A WIRELESS
10.1.13.0/24 SITE A VOIP

10.1.20.0/24 SITE B SERVERS
10.1.21.0/24 SITE B WORKSTATIONS
10.1.22.0/24 SITE B WIRELESS
10.1.23.0/24 SITE B VOIP

10.1.30.0/24 SITE C SERVERS
10.1.31.0/24 SITE C WORKSTATIONS
10.1.32.0/24 SITE C WIRELESS
10.1.33.0/24 SITE C VOIP

and so on, so it's all the same :)
 

ChrisR

ClioSport Club Member
pfft private addressing? Everything with a public address is how we roll :)

(I have nothing to do with or no interest in our network btw, I just know that we have a public /8 used for the corporate network).
 
  Rav4
pfft private addressing? Everything with a public address is how we roll :)

(I have nothing to do with or no interest in our network btw, I just know that we have a public /8 used for the corporate network).

Public? Give me an example :D
 

ChrisR

ClioSport Club Member
Public? Give me an example :D

Again I'm no networking person so forgive me if terminology is incorrect, but public in the sense that if I worked for say Apple and they have the /8 range 17.0.0.0, all devices on the corp network use 17. addresses.
 

Cookie

ClioSport Club Member
That sounds like a facking ballache to administer. It's bad enough waiting for internal DNS for a change, let alone external.

Plus there's the whole thing with keeping company data off the public network (ie the internets). Govt job still Chris? :p
 

ChrisR

ClioSport Club Member
That sounds like a facking ballache to administer. It's bad enough waiting for internal DNS for a change, let alone external.

Plus there's the whole thing with keeping company data off the public network (ie the internets). Govt job still Chris? :p

Hah nope not any more, just a big ass company now ;)

And how things work are nothing to do with me in any way which is nice for a change :)
 
Last edited:
  BMW 330ci sp/ 172Cup
OP

Sounds like a nightmare, at least by your description:) I must admit I don't fully understand the requirement from it.

Whats your position in all this? It sounds like a reasonable project to plan out and think about all the things it could affect by its introduction.

Will you configure the ASA? Not sure what version of code you are running but NATing changed quite a bit at 8.3
 

Donny_Dog

ClioSport Club Member
  Jim's rejects
OP

Sounds like a nightmare, at least by your description:) I must admit I don't fully understand the requirement from it.

Whats your position in all this? It sounds like a reasonable project to plan out and think about all the things it could affect by its introduction.

Will you configure the ASA? Not sure what version of code you are running but NATing changed quite a bit at 8.3

I understand what they want to do - but I dont think its going to be done right. But my lack of knowledge of the ASA doesn't fill me with confidence to stand up and shout that it could go wrong - especially when 'they' are hosting the coin.

I've been thinking about it all day and I am still no further on.

Yes, we will configure the ASA but the chap who implemented it has left. There isn't any documentation - but it actually doesn't do anything interesting anyway - a router could perform the same job! one interface in one network and another in another. So NAT isn't technically in use or whether I'll need to configure it.

PITA.

I'm gonna ring them up on Tuesday and ask them to present how they see it working. I'll know either way whether I'm right or wrong then.
 


Top