?
Solved

Two way address translation

Posted on 2005-04-05
10
Medium Priority
?
452 Views
Last Modified: 2010-04-10
I have a bit of a project here, well more like a quick and nasty hack designed to give some breathing space for a true IP address migration. Basically what I have is the following.

Network A/B/C/D  <-----> Firewall

Networks A B C D use X.Y.100.Z, X.Y.101.Z, X.Y.102.Z , X.Y.103.Z ranges and for "political" reasons they need to be migrated to a 10.Y.100.Z, 10.Y.101.Z etc etc addresses as far as the firewall above is concerned.

Now I know that best practise would be to engage in a staged IP migration but the machine in question are legacy machines and arnt normal PC's (closed source boxes) so this will take time.

My idea would be to take a space 1U server with two NICS and setup some form of two way static Nat'ig between the networks and the firewall, my question is what is everyones recomendation about OS to use, windows 2000/2003 or a Linux varient. The only other requirement is that Im not wanting to do this on a PER IP bases, im wanting to say ANYTHING in the X.Y.100.Z range is translated to the equivilant address in the 10.Y.100.Z range.

Im playing with a windows 2000 server box currently but im not sure if it offers the features I require.

Any thoughts, pointers or usefull links.
0
Comment
Question by:woolnoir
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 13705425
You can assign more than one IP Addresses to one NIC, so why not just try it that way? On a Windows Server you would just select the NIC, move to tcp/ip, select "Properties", then the "Advanced" Tab and now under IP Address just "Add" the new address and range.

If it is a 'nix server you can also use the ifconfig tool and "Add" a new address...
0
 
LVL 23

Expert Comment

by:sciwriter
ID: 13706324
You can do this translation transparently with a higher-end router capable of doing it.  Much less hassle than fiddling with windows trying to get this to work.  Nothing wrong with upgrading the closed boxes to windows, but using windows as a transparent DNS arbitrator is not a simple task, it will plague you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13706443
Any Cisco router with dual interfaces can do this for you. Get a new 2800 series with 2 Gigabit interfaces and be done with it in 30 minutes or less.

0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 20

Author Comment

by:woolnoir
ID: 13706549
Well the situation is we cant use a cisco due to budget requirements and the fact that the "hack" is only going to be in place a matter of month or two. As for assigning multiple addresses to the machines themselfs, thats a nogo, since a log of them are locked down (display equipment) and we simply dont have access or the time available to do so.

That leaves me with the option of using a windows or linux box to do static address translation, anyone any ideas where to look for pointers on this.

It doesnt have to do any wins / dns translation, simply doing OldIP Range <-> new Ip Range and vice-versa will suit it fine.

Any ideas ?
0
 
LVL 88

Expert Comment

by:rindi
ID: 13706908
Sorry, I don't understand the reason why you can't use dual IP's? To what don't you have access? The connected boxes, are they assigned dynamic or static IP's?
0
 
LVL 20

Author Comment

by:woolnoir
ID: 13707011
The boxes on the IP ranges i want to change, i dont have access to , yet I need the address ranges to be translated to the NEW range by the time it reaches the firewall. The machines on the network ranges are public facing terminals, kiosks and other devices that gaining access to change all the IP's just isnt an option in the short timescale. There are older windows95 machines, windows 98 and NT.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13707176
>we cant use a cisco due to budget requirements
How much is too much? Ebay has a 2621 for $900 - dual 10/100 interfaces. With simple terminals and kiosks, I don't think you need to go up to the Gigabit interfaces of a new 2800 series.
0
 
LVL 20

Author Comment

by:woolnoir
ID: 13707481
900$ for 1 month usage for a non profit organisation is still an issue. I understand that everyone wants to suggest best practise approaches, but the question I would like answered is does the functionality to do this exist within windows 2000 server / windows 2003 server or linux, and if so has anyone had any experience of the above. Ive got a test machines im experimenting which and while it seems to be able to do standard many:1 nat, i cannot see how 1:1 static nat can be configured, yet along range:range equivilant nat.

Can anyone help with this, bearing in mind I understand there are better approaches but im time limited and equipment limited at the moment and need a fairly quick and creative approach.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 13707762
I know what you're saying. It's just so simple with Cisco. A single static network nat like this:
  ip nat inside source static 10.y.100.0 X.Y.100.0 netmask 255.255.255.0
  ip nat inside source static 10.y.101.0 X.Y.101.0 netmask 255.255.255.0
  ip nat inside source static 10.y.102.0 X.Y.102.0 netmask 255.255.255.0
  ip nat inside source static 10.y.103.0 X.Y.103.0 netmask 255.255.255.0

Define inside/outside nat interfaces:
  Interface fast 0/0
    ip address <same subnet as firewall inside> <mask>
    ip nat outside

  Interface fast 0/1
    ip address <depends on backend router ip> <mask>
    ip nat inside

 Add a couple of route statements:
   ip route 0.0.0.0 0.0.0.0 <ip of firewall>
   ip route 10.0.0.0 255.0.0.0 <ip of backend router>

!done! Full two-way nat translations, no access list restrictions, just 1-1 network nat.

I'm sorry that I don't know how to do the same thing with a Windows server or with Linux.
I hope that another expert here can help you out.

0
 
LVL 88

Expert Comment

by:rindi
ID: 13708020
Sure, with linux you could do that, most firewall appliances are based on some sort of linux after all. I might be of help part of the way, but only partly. You would need a PC with at least 2 NICs, probably in your situation 5 is better for the ranges you are using, then install any Linux distro, I would suggest Debian or fedora core 3, then install shorewall with which you would configure the firewall / natting. Shorewall makes ipsec configuration easy.

You might be able to do something similar with windoze, but win2k3 has a price tag which is higher than that of a cisco router (if you want to stay legit).

For better info I suggest you post in the linux section, or the linux networking or linux security section, but first you should probably install the base OS on a PC, and then you'd probably have to ask further. I don't know your linux skills...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question