Re: NAT by block

briggs_at_encompasserve.org
Date: 10/17/03 

Date: 17 Oct 2003 07:37:53 -0600

In article <db20762e.0310170023.1e07ed54@posting.google.com>, nospam@asffmml.freesurf.fr (Floo.M) writes:
> Hello all,
>
> I dont really know where to post this. But some of you may have the answer.
> I must connect to private networks that use the same IP network
> My company and the other one both use 10.0.0.0/8
> Is there a way to translate by block any adresss from first network to the second.
>
> I guess a box that could change any packet with the following rule will be OK :
> src 10.a.b.c, dst 11.x.y.z <--> src 12.a.b.c, dst 13.x.y.z
> Maybe it can be done with encapsulation or tunneling ?

Seems to me that you need two layers of NAT. With just the one layer
as above, you wind up with a packet addressed to 13.x.y.z. That's
not going to be delivered on your partner's 10 net.

Your NAT:

src 10.a.b.c, dst 11.x.y.z <--> src 12.a.b.c, dst 11.x.y.z

Route for 11.0.0.0/8 points to partner NAT

Partner NAT:

src 12.a.b.c, dst 11.x.y.z <--> src 12.a.b.c, dst 10.x.y.z

Route for 12.0.0.0/8 points to your NAT

>From your internal point of view, you're 10 and he's 11.
In the middle, you're 12 and he's 11.
>From his internal point of view, he's 10 and you're 12.

The downside is that you lose access to everything on the real 11 net
and they lose access to everything on the real 12 net. You might
consider papering that over with a proxy server and good "do not proxy
for these domains" rules.

Better move is to bite the bullet and re-IP both networks.

Heed the lesson. If you're going to use the 10 net, for God's sake,
don't use a netmask of 255.0.0.0 You _will_ have a merger. And
they _will_ be just as shortsighted as you are. Been there. Done
that. Twice. It wasn't my fault -- we had three separate
acquisitions, all of them using 10/8. They're all weaned now.

        John Briggs

Relevant Pages

  • Re: Linksys WRT54G and Firewall software
    ... but, if you take your laptop to other networks it ... The NAT does block incoming connections. ... The XP SP2 firewall does block all incoming connections when configured with no exceptions. ... That does not explain why the computer would need another firewall from the XP SP2 FW when it is connected to other networks. ...
    (comp.security.firewalls)
  • Re: newbie to home network dhcp worries
    ... >> networks you are fine. ... you MUST run NAT on at least the Modem(the ... your setup is not much ... >> and IP from the ADSL unit, and the computers get an IP from the BEFSR. ...
    (microsoft.public.win2000.networking)
  • Thoughts on IPv6, was: Re: Help Broadcasting a UDP packet on the LAN:URGENT
    ... It might be useful to consider another perspective on IPv6: ... > to believe that adding crypto into your network layer is pointless. ... >> That would solve a lot of issues for secure networks. ... > NAT is an appalling hack. ...
    (freebsd-net)
  • Re: FTP configuration with RRAS
    ... It depends how you setup the RRAS. ... If you enabled the NAT, I would check the NAT services and ports. ... Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net ... networks can see each other from clients of ...
    (microsoft.public.windows.server.networking)
  • Re: help programming NAT
    ... > I'm writing a nat module for study purposes in linux kernel. ... > the fact is that in some networks it works fine, ... Did you remember to change both the IP checksum and the TCP ... tauno voipio iki fi ...
    (comp.os.linux.networking)