sciwriter
asked on
Selectively seeing across 2 class-C IPs
An internal business network is on one class C -- 192.168.0.x and must have no internet access.
An internet "server" is set up on a 2nd class C -- 192.168.2.x -- which sees the internet fine.
This works perfect, because people on the internal network cannot get to the internet -- as intended.
But now they need to have it "both ways" -- meaning I need to VPN in to fix a system on the internal network on the class C not accessible from the internet.
VPNing to the internet "server" on 2.2 is no problem, as is VNCing. But I also now need to VPN into a 0.2 system to periodically fix it. No net access for the users of 0.2 MUST be preserved. Only I may get across.
There are several ways to do this, but I want other ideas before I go ahead. I already can VNC to a virtual link on 2.2 to that 0.2 system's hard drive, but that is not good enough. I'm thinking an app that lets me get across temporarily, directly to 0.2, with no permanent changes to the IP structure that already works great.
TIA
An internet "server" is set up on a 2nd class C -- 192.168.2.x -- which sees the internet fine.
This works perfect, because people on the internal network cannot get to the internet -- as intended.
But now they need to have it "both ways" -- meaning I need to VPN in to fix a system on the internal network on the class C not accessible from the internet.
VPNing to the internet "server" on 2.2 is no problem, as is VNCing. But I also now need to VPN into a 0.2 system to periodically fix it. No net access for the users of 0.2 MUST be preserved. Only I may get across.
There are several ways to do this, but I want other ideas before I go ahead. I already can VNC to a virtual link on 2.2 to that 0.2 system's hard drive, but that is not good enough. I'm thinking an app that lets me get across temporarily, directly to 0.2, with no permanent changes to the IP structure that already works great.
TIA
mikeleebrla
do you have a router or firewall on the 192.168.0.x network? If so then all you need to do is deny any outgoing traffic to the internet, but allow VPN connection from the internet to come through, done!!!
ASKER
Mike -- not that easy, yes there is a router, but the internal network needs to be "unhackable", meaning no inbound traffic (of a potentially malicious nature) either -- needs to be as secure as possible, and it is right now, but no, a simple router change like that would terrify the business owner. Any other ideas?
ASKER
Rereading ... right now a VPN won't get from the 2.x network (internet) to the 0.x network (internal).
At least I haven't tried it, maybe it will....
At least I haven't tried it, maybe it will....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The "internet server" has 2 nics, one to 0.x and the other to 2.x -- sorry, should have said this
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How about a little PIX FW or something between the two networks
Net A 192.168.0.0
|
PIX Inside
|
PIX Outside 192.168.2.x
Net B 192.168.2.0
|
Internet (can you map public ip to PIX Outside IP?)
Then, you can launch a VPN client to connect to the PIX, where you have full access to the 0.x network. A simple access-list out permit ip 192.168.0.0 255.255.255.0 192.168.222.0 255.255.255.252
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.222.0 255.255.255.252
nat (inside) 0 access-list nonat
<no other nat or global statements>
access-group out in interface inside
Set the VPN client pool
ip pool VPNPool 192.168.222.1-192.168.222.
Only traffic from the inside LAN to the VPN pool is allowed. Absolutely no outbound Internet traffic will flow..
Net A 192.168.0.0
|
PIX Inside
|
PIX Outside 192.168.2.x
Net B 192.168.2.0
|
Internet (can you map public ip to PIX Outside IP?)
Then, you can launch a VPN client to connect to the PIX, where you have full access to the 0.x network. A simple access-list out permit ip 192.168.0.0 255.255.255.0 192.168.222.0 255.255.255.252
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.222.0 255.255.255.252
nat (inside) 0 access-list nonat
<no other nat or global statements>
access-group out in interface inside
Set the VPN client pool
ip pool VPNPool 192.168.222.1-192.168.222.
Only traffic from the inside LAN to the VPN pool is allowed. Absolutely no outbound Internet traffic will flow..
ASKER
I think you've misinterpreted "unhackable". I didn't mean that one could not get to the 0.x subdomain if one know it was there -- just that the systems are not "obviously" there on the same class C. And realize, I said up front, this Q is kinda wanting it "both ways" -- the 0.x sub is insulated from the internet, but not totally, at least not for someone knowing which computer IP they wanted to get to by VNC or VPN passwords or logins. Only access to any system on the internal network would be by login.
So maybe restart on a different thought -- given the two sepatate Cs, how to see across the server with the two NICs, without bridging, and without giving "NORMAL" access from the internal 0.x to the internet 2.x.
IS that rephrased a little clearer?
<< FYI,, in your current setup the 192.168.0.x is defenetly hackable since it is connected to the internet through the "internet server" >>
No, it's on a separate NIC that is not bridged to the 2.x "domain" where the router to the internet is.
So maybe restart on a different thought -- given the two sepatate Cs, how to see across the server with the two NICs, without bridging, and without giving "NORMAL" access from the internal 0.x to the internet 2.x.
IS that rephrased a little clearer?
<< FYI,, in your current setup the 192.168.0.x is defenetly hackable since it is connected to the internet through the "internet server" >>
No, it's on a separate NIC that is not bridged to the 2.x "domain" where the router to the internet is.
ASKER
lrmoore -- sorry, didn't see yours before I posted.
That's not a bad idea, actually. But since this Co has lots of routers already, any way to do that on the XP box with the two NICs for 0.x and 2.x?
Of course, I hesitate to ask that, because BOTH you and I would say to other network questions "windows doesn't do routing worth a hoot compared to a dedicated router" -- but since I am exploring options here, please comment on that idea.
I've found the VPN will only make it to the first device at the internet IP number -- i.e. the Linksys VPN router at 2.1 -- so I can't see a way to VPN beyond that. VNC would theoretically get to any WINS "name" on the internet servers list of accessible names. Maybe that is an idea ...?
That's not a bad idea, actually. But since this Co has lots of routers already, any way to do that on the XP box with the two NICs for 0.x and 2.x?
Of course, I hesitate to ask that, because BOTH you and I would say to other network questions "windows doesn't do routing worth a hoot compared to a dedicated router" -- but since I am exploring options here, please comment on that idea.
I've found the VPN will only make it to the first device at the internet IP number -- i.e. the Linksys VPN router at 2.1 -- so I can't see a way to VPN beyond that. VNC would theoretically get to any WINS "name" on the internet servers list of accessible names. Maybe that is an idea ...?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, where you been, dude?
ASKER
<< How about VNC to the server 2.x, then lauch a vpn client to the PIX in between? >>
ingenious !!
<<Is it really a server, or a workstation?>>
A win xp Pro box
<< If the Linksys VPN router accepts IPSEC connections>>
the main VPN is IPSec
<< perhaps it can be setup to pass PPTP to the PIX vs IPSEC?>>
Ingenious again!!
<<BTW, where you been, dude?>>
I got kinda fedup with being harassed by andyalder on storage, so I gave up EE, as I was overworked and too busy. I must say, being on the Questioning side of Networking for once makes me appreciate why you have all those points -- ingenuity and resourcefulness, indeed. I might consider coming back on a less intense basis, if you think my input was useful ....
ingenious !!
<<Is it really a server, or a workstation?>>
A win xp Pro box
<< If the Linksys VPN router accepts IPSEC connections>>
the main VPN is IPSec
<< perhaps it can be setup to pass PPTP to the PIX vs IPSEC?>>
Ingenious again!!
<<BTW, where you been, dude?>>
I got kinda fedup with being harassed by andyalder on storage, so I gave up EE, as I was overworked and too busy. I must say, being on the Questioning side of Networking for once makes me appreciate why you have all those points -- ingenuity and resourcefulness, indeed. I might consider coming back on a less intense basis, if you think my input was useful ....
> if you think my input was useful ....
Are you kidding? Just hang out in the networking TA's and don't worry about andy.
I get fed up every once in a while and take a break, but I always come back. I'm addicted to trying new things. There is no substitute for what the general public can come up with. I couldn't make up most of this stuff..
One little "thanks, you da man!" and that's all I need to keep going and forget about all the other stuff. I also stay away from the lounge and the mods in CS. I get crazy once in a while and flame the site and the TPTB (The Powers That Be, <owners of the site>, and I sometimes get tired of posting in 500 threads just to have 3-4 actually close out the question..
Oh, well. Off to lounge for the evening. It's Michelob time!
Are you kidding? Just hang out in the networking TA's and don't worry about andy.
I get fed up every once in a while and take a break, but I always come back. I'm addicted to trying new things. There is no substitute for what the general public can come up with. I couldn't make up most of this stuff..
One little "thanks, you da man!" and that's all I need to keep going and forget about all the other stuff. I also stay away from the lounge and the mods in CS. I get crazy once in a while and flame the site and the TPTB (The Powers That Be, <owners of the site>, and I sometimes get tired of posting in 500 threads just to have 3-4 actually close out the question..
Oh, well. Off to lounge for the evening. It's Michelob time!
ASKER
Thanks, lrmoore, I think I needed that morale boost, so I will come back periodically to help out as I can. BTW, it's nice to know that the same frustrations annoying us also get the highest points winners in EE. So with that in hand, I think I might be able to bear the difficult people a little better next time. Keep in touch, though will you, and give us and EE more of those unique ideas of yours.
Mike and Slydog -- I think lrmoore scooped us all on this one for originality of ideas and ingenious solutions I would not have thought of. So I have upped the points, to give you two some points for effort, but the bulk to lrmoore for several ideas leading to a great solution that I will try out in weeks to come.
Hope this makes everyone happy, and thanks for contributing your ideas.
Mike and Slydog -- I think lrmoore scooped us all on this one for originality of ideas and ingenious solutions I would not have thought of. So I have upped the points, to give you two some points for effort, but the bulk to lrmoore for several ideas leading to a great solution that I will try out in weeks to come.
Hope this makes everyone happy, and thanks for contributing your ideas.