Access Blackholed Network from live IP on the same physical network structure

I might be trying to do something that I can’t, but here goes.

My workstation normally has a black hole IP and everything is happy; however now I need a live IP.  I know the best way to do this would be to dual home my workstation, but my boss doesn’t want me to add 'stuff' to my workstation unless I /have/ to.

Here’s the network break down:

Internet comes in from our wireless T1 with the following information:
IP’s:              xxx.144.209.242 – 254
Gateway:              xxx.144.209.241
Subnet Mask:    255.255.255.240

From there it goes to a 5 port switch.
      One port goes to our 3Com Router / Firewall / DHCP Server
      All other ports go outside servers – WWW / FTP / POP3 / etc.

The 3Com router feeds all the workstations in the office by other hubs and switches.

I have simply switched my wall line at the patch panel to hook my workstation to a switch connected to the outside instead of being hooked up to a switch on the inside black holed network.

Now what I need to do is use of the live IP; but still have access to everything on the 192.168.10.xxx network.

I have full access to the entire domain, but I’m hoping to be able to do this with only having to use my engineering server (Dual Homed) and have that bridge (if that’s even the correct term I mean route, not sure) my network connection so that if I need something on the black hole it takes my request and "routes" it onto its 192.168.10.127 connection to the private network; or if I need something on the internet it just routes my connection to the T1 like a hub or switch.  Any sort of IP forwarding would most likely be a pain, as I have to have a few large ranges of ports that need live access, and they change every now and then.

Any extra information needed?  Don’t hesitate to ask.
If you need a quick network map or other diagram I can put one up and give a URL to our server with the image.

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates
Evil_RSAAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
NetoMeter ScreencastsConnect With a Mentor Commented:
Here is what I am thinking about:


                                 5-Port switch                                                     Internal Switches & hubs  
                                   |  |  |  |  |                                                        |  |      |
Internet -------------------      |       ----- 3Com Router------------------------   |      |  
                                          |                                                                  |      |  
                                          |                        Nic1                         Nic2
                                           -----------------------EngineeringServer ----------       ------>   All other blackhole systems
                                                                                   |Nic3
                                                                                     ----My WorkStation

You can configure NAT on the Engineering Server. Nic1 should be the Public Interface in the NAT configuration. Nic3 - the private interface. You should not include Nic2 interface in the NAT configuration. You have to enable RRAS (Routing and remote Access server if it is not already enabled and if NAT protocol is not present under IP Routing Right Click General, choose new routing protocol and select NAT. After that you have to right click NAT and add interface - Nic1 and NIC3 )

Good Luck!

NetoMeter
<<link removed>>


PS:1. Still I think it poses a security risk to have a Server short connect the outside and inside interfaces of your firewall. Usually I need an external not filtered Public IP when I have to create a VPN connection or use blocked ports onth firewall. I have two cards on my desktop - external and internal and I never have them both enabled.
      2. In the suggested configuration above you are not going to change the security settings of your server. When you need to connect to the internal network RRAS is going to route to it through Nic2. When you need to access internet RRAS is going to NAT to the Public IP of the RRAS server (Nic1).
0
 
NetoMeter ScreencastsCommented:
Hi!
Does this look like a diagram of your network configuration:

                                 5-Port switch                                         Internal Switch
                                   |  |  |  |  |                                              |  |  |  |   |
Internet -------------------      |  |    ----- 3Com Router----------------          |   |
                                          |  |                                                            |   |
                                          |    --------------------------Workstation--------     |
                                           ------------------------------EngineeringServer ----            

Netometer
<<link removed>>
                                                                                                                                                                                                                               
0
 
Evil_RSAAuthor Commented:
Pretty close:


                                 5-Port switch                                                     Internal Switches & hubs  
                                   |  |  |  |  |                                                        |  |      |
Internet -------------------      |  |    ----- 3Com Router------------------------   |      |  
                                          |  |                                                               |      |  
                                          |    ----My WorkStation                                   |      |
                                           -----------------------EngineeringServer ----------       ------>   All other blackhole systems


Also, if needed the engineering server has an extra nic (total of 3) that isn't being used for anything.  If routing or something would be easier if I was hooked up to that, that is an option.

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Evil_RSAAuthor Commented:
Isn't using NAT going to take me off my live IP and want to put me on a 192.168 IP?

For incoming connections - Would they still be able to directly connect to the IP on my system or would I need to use the IP of the server on NIC 1?

~Derek Brunt
Project Engineer / IT IIS Manager
Brunt Associates

P.S.  On a quick side note, I know this is nowhere near how systems should be done in practice, but for a band-aid fix, untill we get another two servers, this is going to have to work.  This is just another reason I didn't want to release my full IP address to this sad network
0
 
crissandCommented:
Why don't you use the router as the first equipment connected to the Internet? The Engineering server must have a public address?
0
 
Tim HolmanCommented:
Agreed.  Just setup NAT on your router, so that everything behind it is hidden by something in the xxx.144.209.242 – 254 range.
I don't understand what you mean by blackholing in this sense - this is upstream router terminology and has no place on a local LAN ??

~Tim Holman
Astronaut
National Aeronautics and Space Administration
0
 
chadCommented:
Tim,
How's the weather on the moon?  :-)
0
 
Tim HolmanCommented:
Well actually, the moon doesn't have a weather system as its gravity is too light to hold down an atmosphere, but I'm sure you already knew that ?  ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.