Solved

Internal subnet same as Microsoft

Posted on 2006-06-29
15
334 Views
Last Modified: 2010-03-19
All,

I have a client that has an internal subnet that is the same as Microsoft's public range (it was orginally setup that way).  I know the ultimate solution is re-address the subnet to a private range.  That is going to happen eventually but it the interim, I need to setup something so they can access Microsoft web sites.  The interal addressing is 131.107.2.x/16.  Any thoughts on this?  

Thanks,
MJ
0
Comment
Question by:ClearBlueTechnologies
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 2

Expert Comment

by:skags442
ID: 17012662
well there isnt an easy way that i can think of, you might be able too if you had 2 routers and do some crazy nat, but i doubt it

i would bite the bullet and readdress asap, you will save your self alot of headahces
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17012691
Once DNS resolves the address, the path taken will be the shortest possible.  So unless you can increase the cost to the internal network higher than the cost of Microsoft, it will go to the internal sites.  If you do increase the cost, you will no longer be able to get to the internal sites.  Either way you are out of luck.  Re-address immediately.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 17012856
Two solutions:

1 - Web access only (to Microsoft.com and child domains).  Create a subnet with a private address range (172.16.x.x or whatever).  Add a static route in your route to this subnet and put a proxy server in the private range subnet.  Add the proxy server to the browser setting.  Now web requests will go to the proxy, the proxy server will make the requests out its gateway (so no routing conflicts) and back to your PC.  You will need to NAT the current range into the proxy subnet.

This might also help with future renumbering because once you have the subnet created you could just move 1 PC at a time into the new subnet

2 - Add a DNS zone for Microsoft.com that resolves to a private address (172.16.x.x or whatever).  When the computer sends this out the default gateway (your router), add a static NAT for Microsoft.com's real IP.
0
 
LVL 2

Expert Comment

by:skags442
ID: 17012885
if you do though with a work around... i wish you the best of luck
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17014632
To get this to function, you have some work ahead...

If you cannot immediately renumber (and hence have microsoft host IPs assigned locally), you must:

Get your resolver system to hand our alternate IPs when attempting to resolve hosts which match your locally assigned IPs...  Translating into 10.x./16 might be ideal (unless those addresses are already allocated locally), or an unallocated space at least as big as your local subnet.

Then, you must implement NAT in both directions (DNAT and SNAT) to translate your faked resolver IP info back and forth between the real microsoft IPs and the IPs your resolver hands out to the clients.

Cheers,
-Jon
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17015283
HOw did you come to the conclusion that 131.107.2.x/16 is in use by Microsoft.  http://www.iana.org/assignments/ipv4-address-space shows it in use by various registries and a quick scan of the range show .2,.3,.4, and .100 as the only addresses in use at the monent.  They do not resolve.  Your best bet would be to just add routing statements for those four addresses to your router and see what happens.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 17015337
That is what the IT guy at the client told me.  Looking into it, I noticed that that subnet didn't necessarily map to all MS sites.  I have a call in to see exactly what MS services are being affected by this.  It might be just a couple IPs.  I will update when I find out tomorrow.

Thanks!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 43

Accepted Solution

by:
Steve Knight earned 250 total points
ID: 17016741
The adding a web proxy or extra NAT router idea is what I was going to suggest here, had missed that comment until I just re-read.  Are you sure these (some of) addresses aren't allocated to the client as real internet addresses, maybe they just have subnet mask a bit over optimistc - the company I mention below every desk used to have a real internet IP, hence the Class B :-)

Depending upon their usage and addresses already in use it may or not be practical to drop the subnet mask down from /16 to /24 or somewhere inbetween quite easily, that would naturally reduce the effected addresses down to much fewer.

To migrate I'd add multiple addresses on the same subnet to the servers to start with, change your dhcp scope so users use the correct IP then change over printers, router, switches and other network devices.  Not actually that bad to do as long as you don't use hard coded IP's for users to access stuff.

I use a public range privately on my own network due to the fact that a number of clients had in use all the private ranges and the vpn solution in place at the time was not giving out internal addresses.  Across the continents nearly all of 10.0.0.0/8, 172.16.0.0,a nd 192.168.0.0/16 were in use.  Picked part of Class B IP range used by a company I used to work for that is no longer around.

Steve
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 17055142
Thank you all for your suggestions.  While dragon-it didn't give me the direct solution, it lead me to the idea of using an Internet based Web Proxy site as a temporary solution.  www.proxify.com is an example of one.  The customer is able to get to the couple of specific MS sites but going through the web proxy sites.  This will work until we can re-number the network.

Thanks again for all your suggestions!

Mike
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17056671
>it lead me to the idea of using an Internet based Web Proxy site as a temporary solution.

Yup.  I completely forgot that typical http proxy connections defer DNS resoltuon onto the proxy server itself - so, even if you have an IP that corresponds to www.microsoft.com, you connect to the proxy server throught NAT, and ask the proxy server to give you the results of www.microsoft.com.  Since your NAT device translates your "microsoft" IP to an actual external IP, the problem with using those allocated IPs is (at least temporarily) alleviated.

May I ask if this solution works for all protocols/ports, or just http/https?

In any case, I'm glad to hear that worked out for you.  I feel silly for overlooking an obvious solution.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 17059439
I know how you feel Jon!  Sometimes the obvious solutions aren't so obvious.

We only tested it for HTTP/HTTPS which it worked fine for.  I know these web proxies are really intended for other things but it worked for this.

Later,
Mike
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17059862
To be fair here it wasn't actually me who first suggested a proxy server...
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17062602
>To be fair here it wasn't actually me who first suggested a proxy server...

If you're feeling generous towards the Preacher, I can re-open this...

Cheers,
-Jon
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17062630
Go for it if you like.  Only 250 pts.

Steve
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17062842
ClearBlue, is this OK with you?

If so, you dragon, and preacher might want to comment about how you want the split to go...

Cheers,
-Jon
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now