Solved

Access Blackholed Network from live IP on the same physical network structure

Posted on 2004-08-17
9
336 Views
Last Modified: 2010-03-18
I might be trying to do something that I can’t, but here goes.

My workstation normally has a black hole IP and everything is happy; however now I need a live IP.  I know the best way to do this would be to dual home my workstation, but my boss doesn’t want me to add 'stuff' to my workstation unless I /have/ to.

Here’s the network break down:

Internet comes in from our wireless T1 with the following information:
IP’s:              xxx.144.209.242 – 254
Gateway:              xxx.144.209.241
Subnet Mask:    255.255.255.240

From there it goes to a 5 port switch.
      One port goes to our 3Com Router / Firewall / DHCP Server
      All other ports go outside servers – WWW / FTP / POP3 / etc.

The 3Com router feeds all the workstations in the office by other hubs and switches.

I have simply switched my wall line at the patch panel to hook my workstation to a switch connected to the outside instead of being hooked up to a switch on the inside black holed network.

Now what I need to do is use of the live IP; but still have access to everything on the 192.168.10.xxx network.

I have full access to the entire domain, but I’m hoping to be able to do this with only having to use my engineering server (Dual Homed) and have that bridge (if that’s even the correct term I mean route, not sure) my network connection so that if I need something on the black hole it takes my request and "routes" it onto its 192.168.10.127 connection to the private network; or if I need something on the internet it just routes my connection to the T1 like a hub or switch.  Any sort of IP forwarding would most likely be a pain, as I have to have a few large ranges of ports that need live access, and they change every now and then.

Any extra information needed?  Don’t hesitate to ask.
If you need a quick network map or other diagram I can put one up and give a URL to our server with the image.

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates
0
Comment
Question by:Evil_RSA
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 11824397
Hi!
Does this look like a diagram of your network configuration:

                                 5-Port switch                                         Internal Switch
                                   |  |  |  |  |                                              |  |  |  |   |
Internet -------------------      |  |    ----- 3Com Router----------------          |   |
                                          |  |                                                            |   |
                                          |    --------------------------Workstation--------     |
                                           ------------------------------EngineeringServer ----            

Netometer
<<link removed>>
                                                                                                                                                                                                                               
0
 

Author Comment

by:Evil_RSA
ID: 11824530
Pretty close:


                                 5-Port switch                                                     Internal Switches & hubs  
                                   |  |  |  |  |                                                        |  |      |
Internet -------------------      |  |    ----- 3Com Router------------------------   |      |  
                                          |  |                                                               |      |  
                                          |    ----My WorkStation                                   |      |
                                           -----------------------EngineeringServer ----------       ------>   All other blackhole systems


Also, if needed the engineering server has an extra nic (total of 3) that isn't being used for anything.  If routing or something would be easier if I was hooked up to that, that is an option.

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 375 total points
ID: 11824943
Here is what I am thinking about:


                                 5-Port switch                                                     Internal Switches & hubs  
                                   |  |  |  |  |                                                        |  |      |
Internet -------------------      |       ----- 3Com Router------------------------   |      |  
                                          |                                                                  |      |  
                                          |                        Nic1                         Nic2
                                           -----------------------EngineeringServer ----------       ------>   All other blackhole systems
                                                                                   |Nic3
                                                                                     ----My WorkStation

You can configure NAT on the Engineering Server. Nic1 should be the Public Interface in the NAT configuration. Nic3 - the private interface. You should not include Nic2 interface in the NAT configuration. You have to enable RRAS (Routing and remote Access server if it is not already enabled and if NAT protocol is not present under IP Routing Right Click General, choose new routing protocol and select NAT. After that you have to right click NAT and add interface - Nic1 and NIC3 )

Good Luck!

NetoMeter
<<link removed>>


PS:1. Still I think it poses a security risk to have a Server short connect the outside and inside interfaces of your firewall. Usually I need an external not filtered Public IP when I have to create a VPN connection or use blocked ports onth firewall. I have two cards on my desktop - external and internal and I never have them both enabled.
      2. In the suggested configuration above you are not going to change the security settings of your server. When you need to connect to the internal network RRAS is going to route to it through Nic2. When you need to access internet RRAS is going to NAT to the Public IP of the RRAS server (Nic1).
0
 

Author Comment

by:Evil_RSA
ID: 11825145
Isn't using NAT going to take me off my live IP and want to put me on a 192.168 IP?

For incoming connections - Would they still be able to directly connect to the IP on my system or would I need to use the IP of the server on NIC 1?

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates

P.S.  On a quick side note, I know this is nowhere near how systems should be done in practice, but for a band-aid fix, untill we get another two servers, this is going to have to work.  This is just another reason I didn't want to release my full IP address to this sad network
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 18

Expert Comment

by:crissand
ID: 11828550
Why don't you use the router as the first equipment connected to the Internet? The Engineering server must have a public address?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11829115
Agreed.  Just setup NAT on your router, so that everything behind it is hidden by something in the xxx.144.209.242 – 254 range.
I don't understand what you mean by blackholing in this sense - this is upstream router terminology and has no place on a local LAN ??

~Tim Holman
Astronaut
National Aeronautics and Space Administration
0
 
LVL 11

Expert Comment

by:kabaam
ID: 11829601
Tim,
How's the weather on the moon?  :-)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11831078
Well actually, the moon doesn't have a weather system as its gravity is too light to hold down an atmosphere, but I'm sure you already knew that ?  ;)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now