What's new
By:
Filters
ClioSport.net

Register a free account today to become a member!
Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

  • When you purchase through links on our site, we may earn an affiliate commission. Read more here.

Network Address Translation



Donny_Dog

Donny_Dog

ClioSport Club Member
  Jim's rejects
The management has approached me with some info.

We access a system on someone elses network that uses a 172.248.x.x address range (Their network is massive) and we connect into it via a 10mb point to point leased circuit.

Our network is also massive and uses a 192.168.x.x address range. up until now its been pretty straightforward. the relationship is one way E.G we access the resources on their network and they do not access ours.

The info I was told today is that their 172 network is going to be re-i.p'd to the same as ours. :S

We still need to access these systems after they have been re I.P'd and the management has said that I need to provide them with what I need to make it happen.

As it stands we have a cisco 1841 router at the edge of this 10mb circuit and I created a static route to their subnet and then published it within R.I.P so that all our clients from our large internal network can route succesfully. I can't exactly do this in the new world when their internal addresses are the same as ours. So somehow I need to deploy NAT.

I've got plenty of Cisco routers spare (the 1841 version in abundance) and a 3500yl Layer 3 switch should we need it.

My plan is to deploy NAT on the 1841, to NAT our 192 range to (lets say) a 212.148.55.x NAt pool. I'd then tell their network bods of my plan so they could amend their router at the other end of the 10mb circuit to point the range back toward us.
I have no control over their network, so I don't know what is at the other end of this leased connection! all I know, is that it works at the moment.

Is that the most reasonable way of completing this? Does it make sense?!
 
J

*JimmyJ*

  E39 530i
thats sounds about right mate what you are going to do, but like must things it might not be that straight forward. Let me know how you get on.
 
*Badger*

*Badger*

  BMW F21 125d
NAT is the only round it for you. Who's the providor? I ask this as I work for Network Management company!
 
Donny_Dog

Donny_Dog

ClioSport Club Member
  Jim's rejects
Thanks for the replies. Looks like my idea makes sense then?

*JimmyJ* said:
thats sounds about right mate what you are going to do, but like must things it might not be that straight forward. Let me know how you get on.
Click to expand...
Will do mate.

*Badger* said:
NAT is the only round it for you. Who's the providor? I ask this as I work for Network Management company!
Click to expand...
It’s a government run health care organisation that uses an internal clinical system. It isn’t published extrernally hence the ‘internal’ connection we have at the moment.

Adam. said:
Can't you just bump your IP's down to 192.167.x.x?
Click to expand...
No mate, our network is massive – that would mean re-i.P’ing everything, changing all our documentation. Windows based domains are not the easiest to change the entire address range(s) whilst still keeping the up time neither, it would be a massive job.

SamP said:
Easier said than done.
Click to expand...
This.
 
PinkoCommie

PinkoCommie

  182FF with cup packs
Donny_Dog said:
Thanks for the replies. Looks like my idea makes sense then?
Click to expand...

Yes, but you will probably need to do both source and destination NAT unless you decide to route their new real addresses to the router and then make sure that you don't ever use them internally. For instance, if they are using 192.168.55.x and you are currently not, then as long as you never use that particular /24 subnet then you can just make sure that subnet is router to the router, then no need for destination NAT. Otherwise you will have to choose another unused subnet and route that to the router instead and then do a 1-1 converstion for the subnet.

i.e. if the real addresses are 192.168.55.x and you are already using this, you could use 10.1.1.x as the Destination NATs, so a user would access 10.1.1.24 and this would be un-natted to 192.168.55.24.

Source NATing is much much easier though, as you can just hide all the traffic behind a single address (PAT) (such as the customer facing router interface).

I wouldn't recommend using the 212.148.55.x for your NAT range unless you (or who you are connecting to) actually own that IP subnet.


Donny_Dog said:
No mate, our network is massive – that would mean re-i.P’ing everything, changing all our documentation. Windows based domains are not the easiest to change the entire address range(s) whilst still keeping the up time neither, it would be a massive job.
Click to expand...

I hear you there. I was recently involved in moving an entire European infrastructure from a 172.16/12 to a 10/8 range. What a fecking nightmare that was. Took about 18 months to complete fully. (about 40 sites across Europe) I would say "never again", but as we are a management company we don't have much of a choice in the matter.
 
Donny_Dog

Donny_Dog

ClioSport Club Member
  Jim's rejects
PinkoCommie said:
Yes, but you will probably need to do both source and destination NAT unless you decide to route their new real addresses to the router and then make sure that you don't ever use them internally. For instance, if they are using 192.168.55.x and you are currently not, then as long as you never use that particular /24 subnet then you can just make sure that subnet is router to the router, then no need for destination NAT. Otherwise you will have to choose another unused subnet and route that to the router instead and then do a 1-1 converstion for the subnet.

i.e. if the real addresses are 192.168.55.x and you are already using this, you could use 10.1.1.x as the Destination NATs, so a user would access 10.1.1.24 and this would be un-natted to 192.168.55.24.

Source NATing is much much easier though, as you can just hide all the traffic behind a single address (PAT) (such as the customer facing router interface).

I wouldn't recommend using the 212.148.55.x for your NAT range unless you (or who you are connecting to) actually own that IP subnet.




I hear you there. I was recently involved in moving an entire European infrastructure from a 172.16/12 to a 10/8 range. What a fecking nightmare that was. Took about 18 months to complete fully. (about 40 sites across Europe) I would say "never again", but as we are a management company we don't have much of a choice in the matter.
Click to expand...

Thanks for your input here mate, much appreciated.

I'd love to say that their system would use a given range, like your example of 192.168.55.x but the truth is, I have no idea what they are going to do or use. Our management want a hard and fast answer to their question "What do you need" in order to sustain connectivity. The only thing I can say to them at the moment is NAT - maybe using an existing router to do it (although I'll press for a Cisco Pix or something anyway!).

I've kinda been thinking about the NAT range or pool to use and as much as I'd like to make it up, I'll need to consult them just in case they route to that address range (unlikely) for something else, which may screw it up. But destination nat'ing looks like the ticket, glad you agree!!! I like to keep things as simple as possible!
 
You must log in or register to reply here.

Similar threads

W
Cisco vs Extreme Networks
Replies
2
Views
820
Tea Nonce
Tea Nonce
massiveCoRbyn
Pretending to be a Rally Driver (Snetterton Stages 2024)
Replies
16
Views
2K
massiveCoRbyn
massiveCoRbyn
Jack!
IT network/domain stuff for small charity (plz help)
Replies
11
Views
885
msremmert
msremmert
Darren S
My BG182 Clio Revamp
Replies
25
Views
4K
497adam
497adam
DeeKay86
My Comprehensive Notes from todays Apple WWDC Keynote!
Replies
25
Views
3K
Ay Ay Ron
Ay Ay Ron


Top