Hi there
Funnily enough I have just set up a site to site VPN with a company which
uses non RFC1918 addresses, and are public, but not owned by themselves.
Works fine, the only thing I have told them to bear in mind, if they ever
try and hit a website where the address belongs to that range, they wont get
to it, it will be passed through the VPN and encrypted.
Not ideal though but you can work with it.
Cheers
On 29/06/06, Warrington Bruce - bwarri <bruce.warrington AT acxiom DOT com>
wrote:
I've done the same thing for years at a previous company installation.
There's nothing technically wrong with it. WAN or VPN connections back
to the ex-parent company, if necessary, can be accomplished, but you
have to be careful to handle the NAT correctly at each end. (Same thing
as both companies using the same 10.x.x.x range and being careful to NAT
correctly to a routable address so there's no conflict with it on either
end)
You've said that the address range you're sitting on is not being used
on the internet at all, but I could see a weak argument that it might be
used on the internet at some point in the future, and you would not be
able to connect to those internet addresses because your routing table
thinks that range is inside your network. I can also see a weak
argument that it's possible to leak the other company's address range
out on the internet if there were sloppy firewall coding or sloppy
router ACL's to the internet. As a double check on your firewall
coding, I'd just make sure that you take the current bogon list you have
setup as an ACL on your internet router, and make sure your internal
network range is listed there so it never leaks out even if there's a
mistake in your NAT tables on the firewall. You then have to use a
different address range, like an RFC1918 address, for the subnet between
your firewall and the internet router. (Again, assuming that range is
never used on the internet.)
The only real down side I've seen from doing it before, was that you
will hit some bad guesses, or just plain sloppy coding in the OS or some
web server code that makes incorrect assumptions about RFC1918 ranges
vs. non-RFC1918, for example some OS optimizations that make preferences
for what it considers "local" or "closest" for DNS round robin, web code
that tries to guess intranet vs. internet to display different views,
etc. None were hard to fix, but you'll find a few running that way and
have to do something to optimize them (I did). Weigh that against the
cost or pain of re-addressing, and decide if it's worth it.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Jason
Ebersole
Sent: Thursday, June 29, 2006 07:06
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Public addresses on the inside...
I am using "public" IP addresses internally (not 10net or 192.168net),
but a range of addresses that someone else owns. (They were assigned to
us by a former parent company, and although they are "public", were
never used "publicly".) My Checkpoint firewall NAT's anything that needs
to go out to the internet, and "encryption domains" on the VPN gateways
tunnel the traffic that goes to our new parent company as we do hit
services on a few of their systems. (They don't access anything on our
end.) I don't see this as being any different than using 10net or
192.168net addressing.
It has been setup this way and working for years...
Now, the CIO of the new parent company is insisting we change our
internal IP addressing as he is not "comfortable" using someone else's
IP addresses, and has deemed my configuration "unacceptable".
Am I missing something? Does he have a point?
- jason
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
***************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.
If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.
If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.
Thank You.
****************************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
