[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 396
  • Last Modified:

Internal subnet same as Microsoft

All,

I have a client that has an internal subnet that is the same as Microsoft's public range (it was orginally setup that way).  I know the ultimate solution is re-address the subnet to a private range.  That is going to happen eventually but it the interim, I need to setup something so they can access Microsoft web sites.  The interal addressing is 131.107.2.x/16.  Any thoughts on this?  

Thanks,
MJ
0
ClearBlueTechnologies
Asked:
ClearBlueTechnologies
  • 4
  • 3
  • 3
  • +3
1 Solution
 
skags442Commented:
well there isnt an easy way that i can think of, you might be able too if you had 2 routers and do some crazy nat, but i doubt it

i would bite the bullet and readdress asap, you will save your self alot of headahces
0
 
Rick HobbsRETIREDCommented:
Once DNS resolves the address, the path taken will be the shortest possible.  So unless you can increase the cost to the internal network higher than the cost of Microsoft, it will go to the internal sites.  If you do increase the cost, you will no longer be able to get to the internal sites.  Either way you are out of luck.  Re-address immediately.
0
 
RPPreacherCommented:
Two solutions:

1 - Web access only (to Microsoft.com and child domains).  Create a subnet with a private address range (172.16.x.x or whatever).  Add a static route in your route to this subnet and put a proxy server in the private range subnet.  Add the proxy server to the browser setting.  Now web requests will go to the proxy, the proxy server will make the requests out its gateway (so no routing conflicts) and back to your PC.  You will need to NAT the current range into the proxy subnet.

This might also help with future renumbering because once you have the subnet created you could just move 1 PC at a time into the new subnet

2 - Add a DNS zone for Microsoft.com that resolves to a private address (172.16.x.x or whatever).  When the computer sends this out the default gateway (your router), add a static NAT for Microsoft.com's real IP.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
skags442Commented:
if you do though with a work around... i wish you the best of luck
0
 
The--CaptainCommented:
To get this to function, you have some work ahead...

If you cannot immediately renumber (and hence have microsoft host IPs assigned locally), you must:

Get your resolver system to hand our alternate IPs when attempting to resolve hosts which match your locally assigned IPs...  Translating into 10.x./16 might be ideal (unless those addresses are already allocated locally), or an unallocated space at least as big as your local subnet.

Then, you must implement NAT in both directions (DNAT and SNAT) to translate your faked resolver IP info back and forth between the real microsoft IPs and the IPs your resolver hands out to the clients.

Cheers,
-Jon
0
 
Rick HobbsRETIREDCommented:
HOw did you come to the conclusion that 131.107.2.x/16 is in use by Microsoft.  http://www.iana.org/assignments/ipv4-address-space shows it in use by various registries and a quick scan of the range show .2,.3,.4, and .100 as the only addresses in use at the monent.  They do not resolve.  Your best bet would be to just add routing statements for those four addresses to your router and see what happens.
0
 
ClearBlueTechnologiesAuthor Commented:
That is what the IT guy at the client told me.  Looking into it, I noticed that that subnet didn't necessarily map to all MS sites.  I have a call in to see exactly what MS services are being affected by this.  It might be just a couple IPs.  I will update when I find out tomorrow.

Thanks!
0
 
Steve KnightIT ConsultancyCommented:
The adding a web proxy or extra NAT router idea is what I was going to suggest here, had missed that comment until I just re-read.  Are you sure these (some of) addresses aren't allocated to the client as real internet addresses, maybe they just have subnet mask a bit over optimistc - the company I mention below every desk used to have a real internet IP, hence the Class B :-)

Depending upon their usage and addresses already in use it may or not be practical to drop the subnet mask down from /16 to /24 or somewhere inbetween quite easily, that would naturally reduce the effected addresses down to much fewer.

To migrate I'd add multiple addresses on the same subnet to the servers to start with, change your dhcp scope so users use the correct IP then change over printers, router, switches and other network devices.  Not actually that bad to do as long as you don't use hard coded IP's for users to access stuff.

I use a public range privately on my own network due to the fact that a number of clients had in use all the private ranges and the vpn solution in place at the time was not giving out internal addresses.  Across the continents nearly all of 10.0.0.0/8, 172.16.0.0,a nd 192.168.0.0/16 were in use.  Picked part of Class B IP range used by a company I used to work for that is no longer around.

Steve
0
 
ClearBlueTechnologiesAuthor Commented:
Thank you all for your suggestions.  While dragon-it didn't give me the direct solution, it lead me to the idea of using an Internet based Web Proxy site as a temporary solution.  www.proxify.com is an example of one.  The customer is able to get to the couple of specific MS sites but going through the web proxy sites.  This will work until we can re-number the network.

Thanks again for all your suggestions!

Mike
0
 
The--CaptainCommented:
>it lead me to the idea of using an Internet based Web Proxy site as a temporary solution.

Yup.  I completely forgot that typical http proxy connections defer DNS resoltuon onto the proxy server itself - so, even if you have an IP that corresponds to www.microsoft.com, you connect to the proxy server throught NAT, and ask the proxy server to give you the results of www.microsoft.com.  Since your NAT device translates your "microsoft" IP to an actual external IP, the problem with using those allocated IPs is (at least temporarily) alleviated.

May I ask if this solution works for all protocols/ports, or just http/https?

In any case, I'm glad to hear that worked out for you.  I feel silly for overlooking an obvious solution.

Cheers,
-Jon
0
 
ClearBlueTechnologiesAuthor Commented:
I know how you feel Jon!  Sometimes the obvious solutions aren't so obvious.

We only tested it for HTTP/HTTPS which it worked fine for.  I know these web proxies are really intended for other things but it worked for this.

Later,
Mike
0
 
Steve KnightIT ConsultancyCommented:
To be fair here it wasn't actually me who first suggested a proxy server...
0
 
The--CaptainCommented:
>To be fair here it wasn't actually me who first suggested a proxy server...

If you're feeling generous towards the Preacher, I can re-open this...

Cheers,
-Jon
0
 
Steve KnightIT ConsultancyCommented:
Go for it if you like.  Only 250 pts.

Steve
0
 
The--CaptainCommented:
ClearBlue, is this OK with you?

If so, you dragon, and preacher might want to comment about how you want the split to go...

Cheers,
-Jon
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now