Why not to run public IP in the LAN behind NAT?

[Poontos]

At my new job, their existing internal (behind NAT) IP infastructure (approx. 50 nodes) is in the 131.#.#.# IP block, which is obviously not part of RFC1918 (private non-routable IP blocks), nor is it even owned by the company. The logic behind having this IP configuration is for security, with regards to outside networks trying to get into the LAN.


Setup:

DSL
|
|
V
Gateway device - WAN IP is public.
|
LAN IP block behind NAT is 131.....
|
|
V
Nodes on LAN... 131.#.#.1-254

Is it worth it to convince them to change this to RFC1918 addresses on the LAN? Everything actually works "fine" now, so "it ain't" broke per say.

 

[Nothinman]

I would think you wouldn't be able to get to any of the real 131.x.x.x addresses because everything thinks they're local, find out who owns them and see if it matters.

 

[cmetz]

Poontos, if I had a nickel for every company I saw do stupid and nonstandard things with addresses for "security"...

You should get them into a private address space. 131.0.0.0/8 is used for real companies' /16s, and so you WILL have odd rechability problems on the net. Assuming of course that they're only using a /24, that means there's just one company out there somewhere that you can't get to.

This is probably not urgent. If users don't perceive a problem, it's hard to be the guy fixing it. But perhaps there will be some opportune time when you're doing a major change to the network anyway, and you can slip this change in.

 

[mboy]

Originally posted by: cmetz
Poontos, if I had a nickel for every company I saw do stupid and nonstandard things with addresses for "security"...

You should get them into a private address space. 131.0.0.0/8 is used for real companies' /16s, and so you WILL have odd rechability problems on the net. Assuming of course that they're only using a /24, that means there's just one company out there somewhere that you can't get to.

This is probably not urgent. If users don't perceive a problem, it's hard to be the guy fixing it. But perhaps there will be some opportune time when you're doing a major change to the network anyway, and you can slip this change in.

I have the same prob at my compnay. Som ASSCLOWN did the same thing and my block is a non private owned by someone else. I plan on changing it when I upgrade from NT to 2k3-AD by mid next year.

 

[freegeeks]

not only small firms are doing this

I work for a telco with 19000 employees.

we probably have 12000 + workstations

guess what - all workstations are configured with a public range that isn't ours

go figure

 

[gunrunnerjohn]

I don't see how this arrangement offers any additional security, and in point of fact, it may offer less.

 

[p0lar]

It's truly their loss. If they actually OWN that network, why not bind it to the outside interface, use the configurability of its presence there, and have a private internal range? *blink*

I've seen a LOT of 192.x.x.x treated like a Class A network (Much of which is owned by Nortel I believe - cause that's what I saw cropping up all over hostnames, lol) space, but that may be a throwback from the time when people taught that the whole 192.x.x.x was available. You really should keep abreast of current BOGON networks as well.

 

[gunrunnerjohn]

Besides, if you want a class-A private network, 10.x.x.x is available and proper.

 

[p0lar]

Preach on, Brother John.

 

[Nutz]

It is possible to have the external and internal IP ranges a part of the same network, if NAT/PAT is disabled and the company owns that particular network being used. FYI, you can do this quite easily with the PIX.

You can run into serious issues if you do this though and do NOT control the network block in being used. For example, lets say your internal network is using teh 64.1.10.0/24 and you try and go to a website. The DNS resolves the URL as going to IP address 64.1.10.10. In this were to ever happen, your machine will try to ARP the address out on the local segment. If there was a machine on the LAN at .10 and its not providing port 80 service, you're not going to get anything but an error. If the machine is running web services, then guess what? Your not going to be seeing the web page you were expecting.
As you can see, this can seriously disrupt the function of your internal hosts, regardless of what services they're trying to access on the outside.

 

[skyking]

Originally posted by: Nutz
It is possible to have the external and internal IP ranges a part of the same network, if NAT/PAT is disabled and the company owns that particular network being used. FYI, you can do this quite easily with the PIX.

You can run into serious issues if you do this though and do NOT control the network block in being used. For example, lets say your internal network is using teh 64.1.10.0/24 and you try and go to a website. The DNS resolves the URL as going to IP address 64.1.10.10. In this were to ever happen, your machine will try to ARP the address out on the local segment. If there was a machine on the LAN at .10 and its not providing port 80 service, you're not going to get anything but an error. If the machine is running web services, then guess what? Your not going to be seeing the web page you were expecting.
As you can see, this can seriously disrupt the function of your internal hosts, regardless of what services they're trying to access on the outside.

Hammer meet nail!

That was the first thing I thought of when I read the OP.
I can hear the calls now..... "it works from everywhere but here"