Solved

Access Blackholed Network from live IP on the same physical network structure

Posted on 2004-08-17
9
339 Views
Last Modified: 2010-03-18
I might be trying to do something that I can’t, but here goes.

My workstation normally has a black hole IP and everything is happy; however now I need a live IP.  I know the best way to do this would be to dual home my workstation, but my boss doesn’t want me to add 'stuff' to my workstation unless I /have/ to.

Here’s the network break down:

Internet comes in from our wireless T1 with the following information:
IP’s:              xxx.144.209.242 – 254
Gateway:              xxx.144.209.241
Subnet Mask:    255.255.255.240

From there it goes to a 5 port switch.
      One port goes to our 3Com Router / Firewall / DHCP Server
      All other ports go outside servers – WWW / FTP / POP3 / etc.

The 3Com router feeds all the workstations in the office by other hubs and switches.

I have simply switched my wall line at the patch panel to hook my workstation to a switch connected to the outside instead of being hooked up to a switch on the inside black holed network.

Now what I need to do is use of the live IP; but still have access to everything on the 192.168.10.xxx network.

I have full access to the entire domain, but I’m hoping to be able to do this with only having to use my engineering server (Dual Homed) and have that bridge (if that’s even the correct term I mean route, not sure) my network connection so that if I need something on the black hole it takes my request and "routes" it onto its 192.168.10.127 connection to the private network; or if I need something on the internet it just routes my connection to the T1 like a hub or switch.  Any sort of IP forwarding would most likely be a pain, as I have to have a few large ranges of ports that need live access, and they change every now and then.

Any extra information needed?  Don’t hesitate to ask.
If you need a quick network map or other diagram I can put one up and give a URL to our server with the image.

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates
0
Comment
Question by:Evil_RSA
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 11824397
Hi!
Does this look like a diagram of your network configuration:

                                 5-Port switch                                         Internal Switch
                                   |  |  |  |  |                                              |  |  |  |   |
Internet -------------------      |  |    ----- 3Com Router----------------          |   |
                                          |  |                                                            |   |
                                          |    --------------------------Workstation--------     |
                                           ------------------------------EngineeringServer ----            

Netometer
<<link removed>>
                                                                                                                                                                                                                               
0
 

Author Comment

by:Evil_RSA
ID: 11824530
Pretty close:


                                 5-Port switch                                                     Internal Switches & hubs  
                                   |  |  |  |  |                                                        |  |      |
Internet -------------------      |  |    ----- 3Com Router------------------------   |      |  
                                          |  |                                                               |      |  
                                          |    ----My WorkStation                                   |      |
                                           -----------------------EngineeringServer ----------       ------>   All other blackhole systems


Also, if needed the engineering server has an extra nic (total of 3) that isn't being used for anything.  If routing or something would be easier if I was hooked up to that, that is an option.

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 375 total points
ID: 11824943
Here is what I am thinking about:


                                 5-Port switch                                                     Internal Switches & hubs  
                                   |  |  |  |  |                                                        |  |      |
Internet -------------------      |       ----- 3Com Router------------------------   |      |  
                                          |                                                                  |      |  
                                          |                        Nic1                         Nic2
                                           -----------------------EngineeringServer ----------       ------>   All other blackhole systems
                                                                                   |Nic3
                                                                                     ----My WorkStation

You can configure NAT on the Engineering Server. Nic1 should be the Public Interface in the NAT configuration. Nic3 - the private interface. You should not include Nic2 interface in the NAT configuration. You have to enable RRAS (Routing and remote Access server if it is not already enabled and if NAT protocol is not present under IP Routing Right Click General, choose new routing protocol and select NAT. After that you have to right click NAT and add interface - Nic1 and NIC3 )

Good Luck!

NetoMeter
<<link removed>>


PS:1. Still I think it poses a security risk to have a Server short connect the outside and inside interfaces of your firewall. Usually I need an external not filtered Public IP when I have to create a VPN connection or use blocked ports onth firewall. I have two cards on my desktop - external and internal and I never have them both enabled.
      2. In the suggested configuration above you are not going to change the security settings of your server. When you need to connect to the internal network RRAS is going to route to it through Nic2. When you need to access internet RRAS is going to NAT to the Public IP of the RRAS server (Nic1).
0
 

Author Comment

by:Evil_RSA
ID: 11825145
Isn't using NAT going to take me off my live IP and want to put me on a 192.168 IP?

For incoming connections - Would they still be able to directly connect to the IP on my system or would I need to use the IP of the server on NIC 1?

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates

P.S.  On a quick side note, I know this is nowhere near how systems should be done in practice, but for a band-aid fix, untill we get another two servers, this is going to have to work.  This is just another reason I didn't want to release my full IP address to this sad network
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 18

Expert Comment

by:crissand
ID: 11828550
Why don't you use the router as the first equipment connected to the Internet? The Engineering server must have a public address?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11829115
Agreed.  Just setup NAT on your router, so that everything behind it is hidden by something in the xxx.144.209.242 – 254 range.
I don't understand what you mean by blackholing in this sense - this is upstream router terminology and has no place on a local LAN ??

~Tim Holman
Astronaut
National Aeronautics and Space Administration
0
 
LVL 11

Expert Comment

by:kabaam
ID: 11829601
Tim,
How's the weather on the moon?  :-)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11831078
Well actually, the moon doesn't have a weather system as its gravity is too light to hold down an atmosphere, but I'm sure you already knew that ?  ;)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Resolve DNS query failed errors for Exchange
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now