?
Solved

Selectively seeing across 2 class-C IPs

Posted on 2005-03-04
14
Medium Priority
?
390 Views
Last Modified: 2010-04-10
An internal business network is on one class C -- 192.168.0.x and must have no internet access.
An internet "server" is set up on a 2nd class C -- 192.168.2.x -- which sees the internet fine.

This works perfect, because people on the internal network cannot get to the internet -- as intended.
But now they need to have it "both ways" -- meaning I need to VPN in to fix a system on the internal network on the class C not accessible from the internet.

VPNing to the internet "server" on 2.2 is no problem, as is VNCing.  But I also now need to VPN into a 0.2 system to periodically fix it.  No net access for the users of 0.2 MUST be preserved.  Only I may get across.

There are several ways to do this, but I want other ideas before I go ahead. I already can VNC to a virtual link on 2.2 to that 0.2 system's hard drive, but that is not good enough.  I'm thinking an app that lets me get across temporarily, directly to 0.2, with no permanent changes to the IP structure that already works great.

TIA
0
Comment
Question by:sciwriter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13462532
do you have a router or firewall on the 192.168.0.x network?  If so then all you need to do is deny any outgoing traffic to the internet, but allow VPN connection from the internet to come through, done!!!
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13462558
Mike -- not that easy, yes there is a router, but the internal network needs to be "unhackable", meaning no inbound traffic (of a potentially malicious nature) either -- needs to be as secure as possible, and it is right now, but no, a simple router change like that would terrify the business owner.  Any other ideas?
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13462610
Rereading ... right now a VPN won't get from the 2.x network (internet) to the 0.x network (internal).  
At least I haven't tried it, maybe it will....
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 6

Assisted Solution

by:SlyDog
SlyDog earned 200 total points
ID: 13462745
What you haven't mentioned is if the two segments are connected at all. I'm assuming not since if they were, it wouldn't be an issue accessing computers on both segments. If the segments don't connect, one solution is to put a router between the segments, but don't configure a gateway on it. That way 0.x can get to 2.x and you will be able to VPN to 2.x and terminal to any 0.x address. 0.x still can't get to the internet because the router doens't know how to get off the 2.x segment. You have to gateway the 0.x computers to the ip of the router otherwise they won't know how to get to 2.x segment.

0
 
LVL 23

Author Comment

by:sciwriter
ID: 13462807
The  "internet server" has 2 nics, one to 0.x and the other to 2.x -- sorry, should have said this
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 200 total points
ID: 13462982
slydog is right,, obviously they have to be directly connected to eachother or connected to the internet in order for you to remotely connect to them.  If you want it to be "unhackable" then you need to unplug it from the outside world (literally unplug the network cable)  and NEVER connect to it remotely from any computer that has access to the internet.   You say that the network can't have inbound traffic???? if it can't have inbound traffic how on earth do you expect to connect to it remotely???  What you are saying doesn't make sense at all.  Basically what im saying is that what you want can't be done.  If you want to access this network remotely then you have to have a connection to it obviously.  There is no "magical" way for you to connect to it, but not for hackers to connect.

FYI,, in your current setup the 192.168.0.x is defenetly hackable since it is connected to the internet through the "internet server"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13463384
How about a little PIX FW or something between the two networks

Net A 192.168.0.0
          |
           PIX Inside
          |
           PIX Outside 192.168.2.x
Net B 192.168.2.0
          |
      Internet (can you map public ip to PIX Outside IP?)

Then, you can launch a VPN client to connect to the PIX, where you have full access to the 0.x network. A simple access-list out permit ip 192.168.0.0 255.255.255.0 192.168.222.0 255.255.255.252
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.222.0 255.255.255.252
nat (inside) 0 access-list nonat
<no other nat or global statements>
access-group out in interface inside

Set the VPN client pool
  ip pool VPNPool 192.168.222.1-192.168.222.2

Only traffic from the inside LAN to the VPN pool is allowed. Absolutely no outbound Internet traffic will flow..



0
 
LVL 23

Author Comment

by:sciwriter
ID: 13463391
I think you've misinterpreted "unhackable".  I didn't mean that one could not get to the 0.x subdomain if one know it was there -- just that the systems are not "obviously" there on the same class C.  And realize, I said up front, this Q is kinda wanting it "both ways" -- the 0.x sub is insulated from the internet, but not totally, at least not for someone knowing which computer IP they wanted to get to by VNC or VPN passwords or logins.  Only access to any system on the internal network would be by login.

So maybe restart on a different thought -- given the two sepatate Cs, how to see across the server with the two NICs, without bridging, and without giving "NORMAL" access from the internal 0.x to the internet 2.x.

IS that rephrased a little clearer?

<< FYI,, in your current setup the 192.168.0.x is defenetly hackable since it is connected to the internet through the "internet server" >>

No, it's on a separate NIC that is not bridged to the 2.x "domain" where the router to the internet is.
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13463560
lrmoore --  sorry, didn't see yours before I posted.

That's not a bad idea, actually.  But since this Co has lots of routers already, any way to do that on the XP box with the two NICs for 0.x and 2.x?

Of course, I hesitate to ask that, because BOTH you and I would say to other network questions "windows doesn't do routing worth a hoot compared to a dedicated router" -- but since I am exploring options here, please comment on that idea.

I've found the VPN will only make it to the first device at the internet IP number -- i.e. the Linksys VPN router at 2.1 -- so I can't see a way to VPN beyond that.  VNC would theoretically get to any WINS "name" on the internet servers list of accessible names.  Maybe that is an idea ...?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1600 total points
ID: 13463649
>any way to do that on the XP box with the two NICs for 0.x and 2.x?
Not on my shift. Xp simply won't route that I know of..

How about VNC to the server 2.x, then lauch a vpn client to the PIX in between? Is it really a server, or a workstation? If it's a server, Cisco VPN client won't work, but a PPTP session might....
If the Linksys VPN router accepts IPSEC connections, perhaps it can be setup to pass PPTP to the PIX vs IPSEC?

>But since this Co has lots of routers already
That brings up a routing issue with using a separate IP subnet for the VPN client. You'd have to use 192.168.0.x for the vpn pool and that makes the nonat acl ugly, but it might work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13463650
BTW, where you been, dude?
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13463693
<< How about VNC to the server 2.x, then lauch a vpn client to the PIX in between? >>

ingenious !!

<<Is it really a server, or a workstation?>>

A win xp Pro box

<< If the Linksys VPN router accepts IPSEC connections>>

the main VPN is IPSec

<< perhaps it can be setup to pass PPTP to the PIX vs IPSEC?>>

Ingenious again!!

<<BTW, where you been, dude?>>

I got kinda fedup with being harassed by andyalder on storage, so I gave up EE, as I was overworked and too busy.  I must say, being on the Questioning side of Networking for once makes me appreciate why you have all those points -- ingenuity and resourcefulness, indeed.  I might consider coming back on a less intense basis, if you think my input was useful ....

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13463775
> if you think my input was useful ....
Are you kidding? Just hang out in the networking TA's and don't worry about andy.

I get fed up every once in a while and take a break, but I always come back. I'm addicted to trying new things. There is no substitute for what the general public can come up with. I couldn't make up most of this stuff..
One little "thanks, you da man!" and that's all I need to keep going and forget about all the other stuff. I also stay away from the lounge and the mods in CS. I get crazy once in a while and flame the site and the TPTB (The Powers That Be, <owners of the site>, and I sometimes get tired of posting in 500 threads just to have 3-4 actually close out the question..
Oh, well. Off to lounge for the evening. It's Michelob time!
0
 
LVL 23

Author Comment

by:sciwriter
ID: 13464119
Thanks, lrmoore, I think I needed that morale boost, so I will come back periodically to help out as I can.  BTW, it's nice to know that the same frustrations annoying us also get the highest points winners in EE.  So with that in hand, I think I might be able to bear the difficult people a little better next time.  Keep in touch, though will you, and give us and EE more of those unique ideas of yours.

Mike and Slydog -- I think lrmoore scooped us all on this one for originality of ideas and ingenious solutions I would not have thought of.  So I have upped the points, to give you two some points for effort, but the bulk to lrmoore for several ideas leading to a great solution that I will try out in weeks to come.

Hope this makes everyone happy, and thanks for contributing your ideas.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question