Solved

Internal subnet same as Microsoft

Posted on 2006-06-29
15
376 Views
Last Modified: 2010-03-19
All,

I have a client that has an internal subnet that is the same as Microsoft's public range (it was orginally setup that way).  I know the ultimate solution is re-address the subnet to a private range.  That is going to happen eventually but it the interim, I need to setup something so they can access Microsoft web sites.  The interal addressing is 131.107.2.x/16.  Any thoughts on this?  

Thanks,
MJ
0
Comment
Question by:ClearBlueTechnologies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 2

Expert Comment

by:skags442
ID: 17012662
well there isnt an easy way that i can think of, you might be able too if you had 2 routers and do some crazy nat, but i doubt it

i would bite the bullet and readdress asap, you will save your self alot of headahces
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17012691
Once DNS resolves the address, the path taken will be the shortest possible.  So unless you can increase the cost to the internal network higher than the cost of Microsoft, it will go to the internal sites.  If you do increase the cost, you will no longer be able to get to the internal sites.  Either way you are out of luck.  Re-address immediately.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 17012856
Two solutions:

1 - Web access only (to Microsoft.com and child domains).  Create a subnet with a private address range (172.16.x.x or whatever).  Add a static route in your route to this subnet and put a proxy server in the private range subnet.  Add the proxy server to the browser setting.  Now web requests will go to the proxy, the proxy server will make the requests out its gateway (so no routing conflicts) and back to your PC.  You will need to NAT the current range into the proxy subnet.

This might also help with future renumbering because once you have the subnet created you could just move 1 PC at a time into the new subnet

2 - Add a DNS zone for Microsoft.com that resolves to a private address (172.16.x.x or whatever).  When the computer sends this out the default gateway (your router), add a static NAT for Microsoft.com's real IP.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:skags442
ID: 17012885
if you do though with a work around... i wish you the best of luck
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17014632
To get this to function, you have some work ahead...

If you cannot immediately renumber (and hence have microsoft host IPs assigned locally), you must:

Get your resolver system to hand our alternate IPs when attempting to resolve hosts which match your locally assigned IPs...  Translating into 10.x./16 might be ideal (unless those addresses are already allocated locally), or an unallocated space at least as big as your local subnet.

Then, you must implement NAT in both directions (DNAT and SNAT) to translate your faked resolver IP info back and forth between the real microsoft IPs and the IPs your resolver hands out to the clients.

Cheers,
-Jon
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17015283
HOw did you come to the conclusion that 131.107.2.x/16 is in use by Microsoft.  http://www.iana.org/assignments/ipv4-address-space shows it in use by various registries and a quick scan of the range show .2,.3,.4, and .100 as the only addresses in use at the monent.  They do not resolve.  Your best bet would be to just add routing statements for those four addresses to your router and see what happens.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 17015337
That is what the IT guy at the client told me.  Looking into it, I noticed that that subnet didn't necessarily map to all MS sites.  I have a call in to see exactly what MS services are being affected by this.  It might be just a couple IPs.  I will update when I find out tomorrow.

Thanks!
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 250 total points
ID: 17016741
The adding a web proxy or extra NAT router idea is what I was going to suggest here, had missed that comment until I just re-read.  Are you sure these (some of) addresses aren't allocated to the client as real internet addresses, maybe they just have subnet mask a bit over optimistc - the company I mention below every desk used to have a real internet IP, hence the Class B :-)

Depending upon their usage and addresses already in use it may or not be practical to drop the subnet mask down from /16 to /24 or somewhere inbetween quite easily, that would naturally reduce the effected addresses down to much fewer.

To migrate I'd add multiple addresses on the same subnet to the servers to start with, change your dhcp scope so users use the correct IP then change over printers, router, switches and other network devices.  Not actually that bad to do as long as you don't use hard coded IP's for users to access stuff.

I use a public range privately on my own network due to the fact that a number of clients had in use all the private ranges and the vpn solution in place at the time was not giving out internal addresses.  Across the continents nearly all of 10.0.0.0/8, 172.16.0.0,a nd 192.168.0.0/16 were in use.  Picked part of Class B IP range used by a company I used to work for that is no longer around.

Steve
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 17055142
Thank you all for your suggestions.  While dragon-it didn't give me the direct solution, it lead me to the idea of using an Internet based Web Proxy site as a temporary solution.  www.proxify.com is an example of one.  The customer is able to get to the couple of specific MS sites but going through the web proxy sites.  This will work until we can re-number the network.

Thanks again for all your suggestions!

Mike
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17056671
>it lead me to the idea of using an Internet based Web Proxy site as a temporary solution.

Yup.  I completely forgot that typical http proxy connections defer DNS resoltuon onto the proxy server itself - so, even if you have an IP that corresponds to www.microsoft.com, you connect to the proxy server throught NAT, and ask the proxy server to give you the results of www.microsoft.com.  Since your NAT device translates your "microsoft" IP to an actual external IP, the problem with using those allocated IPs is (at least temporarily) alleviated.

May I ask if this solution works for all protocols/ports, or just http/https?

In any case, I'm glad to hear that worked out for you.  I feel silly for overlooking an obvious solution.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 17059439
I know how you feel Jon!  Sometimes the obvious solutions aren't so obvious.

We only tested it for HTTP/HTTPS which it worked fine for.  I know these web proxies are really intended for other things but it worked for this.

Later,
Mike
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17059862
To be fair here it wasn't actually me who first suggested a proxy server...
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17062602
>To be fair here it wasn't actually me who first suggested a proxy server...

If you're feeling generous towards the Preacher, I can re-open this...

Cheers,
-Jon
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17062630
Go for it if you like.  Only 250 pts.

Steve
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17062842
ClearBlue, is this OK with you?

If so, you dragon, and preacher might want to comment about how you want the split to go...

Cheers,
-Jon
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question