Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Two way address translation

Posted on 2005-04-05
10
Medium Priority
?
453 Views
Last Modified: 2010-04-10
I have a bit of a project here, well more like a quick and nasty hack designed to give some breathing space for a true IP address migration. Basically what I have is the following.

Network A/B/C/D  <-----> Firewall

Networks A B C D use X.Y.100.Z, X.Y.101.Z, X.Y.102.Z , X.Y.103.Z ranges and for "political" reasons they need to be migrated to a 10.Y.100.Z, 10.Y.101.Z etc etc addresses as far as the firewall above is concerned.

Now I know that best practise would be to engage in a staged IP migration but the machine in question are legacy machines and arnt normal PC's (closed source boxes) so this will take time.

My idea would be to take a space 1U server with two NICS and setup some form of two way static Nat'ig between the networks and the firewall, my question is what is everyones recomendation about OS to use, windows 2000/2003 or a Linux varient. The only other requirement is that Im not wanting to do this on a PER IP bases, im wanting to say ANYTHING in the X.Y.100.Z range is translated to the equivilant address in the 10.Y.100.Z range.

Im playing with a windows 2000 server box currently but im not sure if it offers the features I require.

Any thoughts, pointers or usefull links.
0
Comment
Question by:woolnoir
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 13705425
You can assign more than one IP Addresses to one NIC, so why not just try it that way? On a Windows Server you would just select the NIC, move to tcp/ip, select "Properties", then the "Advanced" Tab and now under IP Address just "Add" the new address and range.

If it is a 'nix server you can also use the ifconfig tool and "Add" a new address...
0
 
LVL 23

Expert Comment

by:sciwriter
ID: 13706324
You can do this translation transparently with a higher-end router capable of doing it.  Much less hassle than fiddling with windows trying to get this to work.  Nothing wrong with upgrading the closed boxes to windows, but using windows as a transparent DNS arbitrator is not a simple task, it will plague you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13706443
Any Cisco router with dual interfaces can do this for you. Get a new 2800 series with 2 Gigabit interfaces and be done with it in 30 minutes or less.

0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 20

Author Comment

by:woolnoir
ID: 13706549
Well the situation is we cant use a cisco due to budget requirements and the fact that the "hack" is only going to be in place a matter of month or two. As for assigning multiple addresses to the machines themselfs, thats a nogo, since a log of them are locked down (display equipment) and we simply dont have access or the time available to do so.

That leaves me with the option of using a windows or linux box to do static address translation, anyone any ideas where to look for pointers on this.

It doesnt have to do any wins / dns translation, simply doing OldIP Range <-> new Ip Range and vice-versa will suit it fine.

Any ideas ?
0
 
LVL 88

Expert Comment

by:rindi
ID: 13706908
Sorry, I don't understand the reason why you can't use dual IP's? To what don't you have access? The connected boxes, are they assigned dynamic or static IP's?
0
 
LVL 20

Author Comment

by:woolnoir
ID: 13707011
The boxes on the IP ranges i want to change, i dont have access to , yet I need the address ranges to be translated to the NEW range by the time it reaches the firewall. The machines on the network ranges are public facing terminals, kiosks and other devices that gaining access to change all the IP's just isnt an option in the short timescale. There are older windows95 machines, windows 98 and NT.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13707176
>we cant use a cisco due to budget requirements
How much is too much? Ebay has a 2621 for $900 - dual 10/100 interfaces. With simple terminals and kiosks, I don't think you need to go up to the Gigabit interfaces of a new 2800 series.
0
 
LVL 20

Author Comment

by:woolnoir
ID: 13707481
900$ for 1 month usage for a non profit organisation is still an issue. I understand that everyone wants to suggest best practise approaches, but the question I would like answered is does the functionality to do this exist within windows 2000 server / windows 2003 server or linux, and if so has anyone had any experience of the above. Ive got a test machines im experimenting which and while it seems to be able to do standard many:1 nat, i cannot see how 1:1 static nat can be configured, yet along range:range equivilant nat.

Can anyone help with this, bearing in mind I understand there are better approaches but im time limited and equipment limited at the moment and need a fairly quick and creative approach.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 13707762
I know what you're saying. It's just so simple with Cisco. A single static network nat like this:
  ip nat inside source static 10.y.100.0 X.Y.100.0 netmask 255.255.255.0
  ip nat inside source static 10.y.101.0 X.Y.101.0 netmask 255.255.255.0
  ip nat inside source static 10.y.102.0 X.Y.102.0 netmask 255.255.255.0
  ip nat inside source static 10.y.103.0 X.Y.103.0 netmask 255.255.255.0

Define inside/outside nat interfaces:
  Interface fast 0/0
    ip address <same subnet as firewall inside> <mask>
    ip nat outside

  Interface fast 0/1
    ip address <depends on backend router ip> <mask>
    ip nat inside

 Add a couple of route statements:
   ip route 0.0.0.0 0.0.0.0 <ip of firewall>
   ip route 10.0.0.0 255.0.0.0 <ip of backend router>

!done! Full two-way nat translations, no access list restrictions, just 1-1 network nat.

I'm sorry that I don't know how to do the same thing with a Windows server or with Linux.
I hope that another expert here can help you out.

0
 
LVL 88

Expert Comment

by:rindi
ID: 13708020
Sure, with linux you could do that, most firewall appliances are based on some sort of linux after all. I might be of help part of the way, but only partly. You would need a PC with at least 2 NICs, probably in your situation 5 is better for the ranges you are using, then install any Linux distro, I would suggest Debian or fedora core 3, then install shorewall with which you would configure the firewall / natting. Shorewall makes ipsec configuration easy.

You might be able to do something similar with windoze, but win2k3 has a price tag which is higher than that of a cisco router (if you want to stay legit).

For better info I suggest you post in the linux section, or the linux networking or linux security section, but first you should probably install the base OS on a PC, and then you'd probably have to ask further. I don't know your linux skills...
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question