• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 436
  • Last Modified:

IP networking question

I just have a question--I came across a network that had all its computers (40) set to static IP's using the scheme 208.65.x.x  The public IP is different.

How is this a valid private IP scheme?  I know there is a dsl modem, a cisco pix firewall, and a cisco router involved.  I am trying to learn and not look like a fool by asking dumb questions.  I thought all private IP were either 10.x.x.x, 172.16.x.x.x, and 192.168.x.x.  Am i wrong?

3 Solutions
You are not "wrong" but the fact is as long as traffic is being NATed, you can use any addresses you want on the back end. The designated private networks (10/8, 172.16/12 and 192.168/16) just make it easy for ISPs to deny any of that traffic as not being valid over public networks.
Hi Jimmy,
the subnet range for a class C Subnet is 192 - 223

jimmy_the_fishAuthor Commented:
thanks---i really appreciate it.

let me ask one more question.  they told me that have to use specific IP's to access specific websites.  How is this possible if it's NAT'ed?  the website will only see the public IP, not private correct?
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

The IP address you assign in the network can be anything like your case 208.65.X.X. It all depends on how your network is seen from outside .( internet/public network). RFC says the some range can be used for private network. When packet from your computer leaves your prmises and goes to internet there should be a NAT (Network Address Translation)( may be on cisco router) which converts your internal IP 208.65 into public IP givern by the Service Provider.
Fred MarshallCommented:
I believe the comments you've received so far are all pretty much on the mark.  
The immediate problem that I see is this:

How did you select the public address range that you're using inside?  If it was arbitrary then consider this:

*The public addresses you're using likely belong to somebody else or will at some point in time that's not something you can determine except by continually checking those addresses with "whois".  For example: - Geo Information
IP Address
Host 208-65-1-1.webb-static.skyviewtech.com
Location  US, United States
City Saint George, UT 84770
Organization Sky-View Technologies
ISP Sky-View Technologies

So, now let's say one of your clients Googles and comes up with a URL of interest and clicks on it.
The DNS service converts the URL into an IP address.
Let's say that the IP address associated with that URL is
And, let's say that is the address assigned to one of your computers or at least is within the address range of your internal subnet.

So, now the client computer tries to open a web page at which is on your subnet.  The packets go out on the wire and never get NATted out to the internet.  Your gateway doesn't even pay attention to those packets as they aren't directed to the gateway at all.  Result: no connection is made.

Incoming packets don't have this problem because they are addressed to your outside IP address.

So, while it *may* work, *some* of the time, I wouldn't advise it.
jimmy_the_fishAuthor Commented:
wow..lots of good information here.  i didnt actually build this network.  it was built about 10 years ago and has been maintained by several different people throughout the years.

still dont understand why they have to have specific computers internally have specific IP address to access specific secure websites---i have never heard of this before and it does not make sense.  it would make more sense if it was a specific public IP....

also, why so many firewalls?  does the dsl modem along with the cisco pix and cisco router make sense to you?

Fred MarshallCommented:
still dont understand why they have to have specific computers internally have specific IP address to access specific secure websites-

I don't see that this has been asked before.  Can you elaborate please?
jimmy_the_fishAuthor Commented:
all their internal IP's are 208.65.x.x.  their public is something like 221.43.x.x  they access some ADP secure websites and have told me that specific computers inside have to have specific IP's for it to work.  

for example, receptionist needs 208.65.x.24 and office manager need 208.65.x.25 to access these external website.  If they any other IP, it won't work.  I haven't actually tested it---this is just based on what they tell me.  they also arent running DHCP, so every machine has to have a static, which again, makes no sense to me??

Fred MarshallCommented:
Static IPs are fine.  I run an entire enterprise that way (yes it's relatively small .. I'd say "medium sized") except for wireless clients which are on DHCP.  

- there is no question about DHCP or DNS working from the client end because you set those up manually.
- there is no fuss pinging a particular computer by IP address because you know what it is a priori.
- you can set firewall rules according to subranges if the addresses are controlled this way.  e.g.
- you can install printers by IP address without worrying about names and name service.
- you can readily communicate between computers separated by a site-to-site VPN because you know their IP addresses (which are needed if there's not intersite name service).
- a "foreigner" can't just plug into your network and go.  Includes rogue wireless routers.  They have to know what the range is, etc.  Not a huge security measure but might help now and then.  Defense in depth is about lots of small inhibitors like the hook on a screen door.

- you have to set up each computer; but that's a very simple thing to do for one who knows half what's needed.
- if you have no DHCP server at all then you'll find some situations where it's a tiny bit inconvenient.  I don't find there are that many / that often and it's easy enough to work around.  I've chosen to not have one in some cases and to have one in others.
- you have to keep a spreadsheet of IP addresses and avoid duplicate assignments.  I use a sorted spreadsheet that tells me which IPs are in use in a contiguous list followed by which IPs are not in use;  it has an error checker that tells me if there's something wrong with the IP addresses in the list - which helps avoid duplicates, etc.
Fred MarshallCommented:
Oh!  OK, now I get it.  ADP is a security company, right?  We have a number of cases in banking where access to the outside world is controlled to specific, recorded inside IP addressed computers.  There are other security measures in addition of course.

So, if I understand, you are saying that a particular IP address is needed to connect to a particular outside service.  Is that it?

Even so, I have a hard time imagining that the service provider would want you to be using public IP addresses inside for the reasons I gave earlier.  It's interesting that they didn't catch it.  But, with NAT, they may not focus on that much at all.  You just fill in the blank on the forms with whatever address you like - and then the address gets locked in.  

My recommendation would be to change the address range to a private one.  You could start by introducing a new subnet (by adding a simple router to bridge between subnets) put the least critical client on that subnet and set up an IP change with the service provider.  That step may be a bit of a pain but you will learn a lot and be way better prepared to deal with these issues.  In my own case I *don't* deal with service provider logins but leave that up to the users or their supervisors.  BUT we do overlap on these issues from time to time.
jimmy_the_fishAuthor Commented:
thanks alot fmarshall--you helped alot!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now