Re: Connecting two private 10.0.0.0/8 Networks

Lisytiro · ‎04-27-2023

Hey there,
I'm theocrafting about a network problem and I'm struggling with the following situation.

company A uses 10.0.0.0/8 network for internal traffic.
company B also uses 10.0.0.0/8 network for internal traffic.

I need to connect these two company networks via VPN. The Problem is, that both companies could be using the same IP address in their own network. e.g.
10.1.1.1 = ServerA in company A
10.1.1.1 = ServerB in company B
So how can a Client from A contact ServerB in company B?

Normally I would just use regular NAT to connect these two networks and build a transfer net, but which private ip address space can I use to interconnect a /8 network, without potential connectivity problems for the rest of the internet traffic?

MHM Cisco World · ‎04-27-2023

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13774-3.html

Joseph W. Doherty · ‎04-27-2023

The solution is double NAT but still each "side" cannot have addressing conflicts. For example, if each side actually used the bottom half of 10.0.0.0/8 you could NAT so that each side would see the other side using the top half of 10.0.0.0/8.

Joseph W. Doherty · ‎04-02-2024

As @alvimutmex refreshed this question, rereading my prior reply wasn't totally clear and is not guaranteed to work in all situations.

Two way NAT is a key component but it assumes there's sufficient free IP space, either statically and/or dynamically to handle address needs.

For example, in my prior reply I'm assuming both /8s only need a /9 of address space. Or more importantly, the aggregate usage of the two /8s don't actually need a full /8. If they do, possibly the other two private address blocks could provide enough additional address space. If not, @Lisytiro is correct you could have a problem if you start to use public address space.

Two things to keep in mind, likely much of each 10/8 can work with PAT. I.e. good chance you could map both 10/8s into a single 10/8, but it could require a lot of work.

Second, you could consider using IPv6, either natively on all the hosts or perhaps with IPv4<>IPv6 NAT. (Even at the date of OP, IPv6 would likely be the best long term solution.)

Giuseppe Larosa · ‎04-02-2024

Hello @Lisytiro ,

>> but which private ip address space can I use to interconnect a /8 network, without potential connectivity problems for the rest of the internet traffic?

You can use two /16 from other RFC 1918 block like:

172.16.0.0/16

172.17.0.0/16

of course you need to use NAT overload on the NAT pool(s) and you can use static NATs where needed

Hope to help

Giuseppe

Joseph W. Doherty · ‎04-02-2024

As @Giuseppe Larosa mentions using two address blocks, 172.16.0.0/16 and 172.17.0.0/16, I wanted to clarify, what I had in mind by ". . . possibly the other two private address blocks could provide enough additional address space."

They would be:

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Still, that's not going to cover the whole 10.x.x.x/8. So as I, and Giuseppe too noted, you might be able to do this using dynamic NAT (pools and/or PAT) and static NAT where necessary. Still, lots of work, and worst case, you might still run short.

Again, the only approach, I believe would guarantee success is using IPv6, while avoiding possible address space conflicts.

Lastly, if you were just needing to do this temporarily, you might also consider using:

198.18.0.0/15 and/or 240.0.0.0/4. Both have intended uses, but unlikely, I suspect, you'll bump into usage conflicts, using them strictly privately. The /4 though, covers both /8s with ease.