We help IT Professionals succeed at work.

Spoofing an IP

402 Views
Last Modified: 2010-04-10
Here's the problem.. We have a site-to-site VPN connection with our parent company's network in England.  Over the past weekend, we changed our internal IP address scheme from a 192.168.0.0 /24 to a 10.10.0.0 /23 network to accommodate an influx of new employees and to prevent conflicts with our internal default router and the default router of our VPN clients.  In doing so, we picked an IP range that was already in use by our counterparts in England.  They have another remote site that uses the 10.10.0.0 network as well, which creates a conflict when we attempt to connect our site-to-site VPN.  Is there any way to create static routes so that our England counterparts sees our network as a 192.168.x.x?

Here's how traffic flows at our site:

12.xxx.xxx.8(External IP address of our PIX firewall) -> 10.1.2.2(Internal IP address of our PIX) -> 10.1.2.1(External IP address of our Cisco 2811 Router) -> 10.10.0.1(Internal IP address of our Cisco 2811 Router, which is the default route of our network)

Comment
Watch Question

No. I would say, change your ip address.

Another workaround would be, putting a router between the LAN and VPN router. Like this

EnglandVPN router-----------VPN router-----------------192.198.x.xROUTER10.10.0.0/23------------------------LAN10.10.0.0/23
You have to make sure that you are using only static routing. No routing protocol.

Commented:
Change IP's.  Pick something else like: 10.99.0.0/23

WGhen
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Depending on your VPN endpoint devices, you might be able to nat between the two networks and work just fine.
I know it's possible using Cisco PIX as endpoints.
It's natting, not routing that you need.

Author

Commented:
On my end is a Cisco PIX 506e, England is using a Checkpoint VPN-1.

Do you have a sample config for this that I could use as a basis?

Commented:
Who is in charge of the network as a whole?  Your IP range should be assigned by that person so as to avoid conflicts.  What other subnets are in use?
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Steve JenningsSr Manager Cloud Networking Ops
CERTIFIED EXPERT

Commented:
. . . make sure you don't NAT the addresses to the same IP range! (Har!!) Sorry. Couldn't resist.

Commented:
As RDAdams said, implement the ip address as assigned by whoever has done all the subnetting assignments.
IP addresses MUST be unique within the broadcast space that is utilized.
You really dont have a choice and there aren't any passable options as a work arround.

The short version of the story is that you should not have implemented the 10.x.x.x addresses without verifying they were not in use and now they must be corrected.
If there is not currently a central authority on your IP network for ip designations, then you should assume that responsibility.
Determine what subnets are in use and create documentation for the subnets use and where they are in use.
Distribute the documentation to all networking departments in any of the companies that are or will ever be in use at any of the companies that connect to any of the networks used by the companies (Directly - if there behind NAT, thats fine).

This should most likely be a simple list such as:
10.10.0-4.x england
10.10.5.x your company
10.10.6-254.x unused

Also, I would not implement knightrider2k2's suggestion in a production environment.  You do not want to have any ip addresses duplicated at any point in your network.

Author

Commented:
Worked perfectly, lrmoore.  Thanks a ton :)  If we used the VPN for anything more than simple video conferencing and intranet traffic I would be more worried about this.  I've since taken control of the networking scheme for both the US and the England sides of our network so we will not run into this again.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.