Solved: Re: routing to public addresses used privately

lcaruso · ‎02-22-2011

Hi,

One company (Company A) buys another (Company B) and discovers they use public address privately behind an ASA5510.

Then, Company A, who also has an ASA 5510, sets up a new WAN circuit from Company A's internal network to Company B's premises with the goal of establishing LAN-to-LAN connectivity. At each end of this new WAN circuit is a 1900 router.

At Company B's premises, there is a spare port open on the ASA5510 to bring in the new service from Company A.

Company A uses private address internally. Here's the problem: when a device on company A's LAN tries to send packets to a device on Company B's LAN, thost packets are going to head out Company A's ASA outside interface.

I'm sure there's more than one solution. What's the best way to handle this?

Thanks in advance.

hobbe · ‎02-22-2011

Hi

The quite obvious answer would be, to route.

If company B use their own addresses then its normally not a big problem.

The problem arises if the company B who uses public ip addresses use other companys ip addresses.

If they do. then there are some small choises to be made.

1) is this a problem ? ie the ip addresses that are "stolen" are they any that the company will care if they are used or not. is it something that will become a problem that noone can communicate with them ?

(obviously company B have already answered that question with no we do not care)

if the answer is no that is of no concern, then just route !

2) if it is a problem you can use NAT on company A to hide the new addresses behind rfc 1918 addresses that hides the addresses in company B

both the 1900 and the 5510 will be able to do that.

Most likely this is a temporary problem since the company A will most likely enforce rfc 1918 addresses to comp B.

Good luck

HTH

View solution in original post

hobbe · ‎02-22-2011

Hi

The quite obvious answer would be, to route.

If company B use their own addresses then its normally not a big problem.

The problem arises if the company B who uses public ip addresses use other companys ip addresses.

If they do. then there are some small choises to be made.

1) is this a problem ? ie the ip addresses that are "stolen" are they any that the company will care if they are used or not. is it something that will become a problem that noone can communicate with them ?

(obviously company B have already answered that question with no we do not care)

if the answer is no that is of no concern, then just route !

2) if it is a problem you can use NAT on company A to hide the new addresses behind rfc 1918 addresses that hides the addresses in company B

both the 1900 and the 5510 will be able to do that.

Most likely this is a temporary problem since the company A will most likely enforce rfc 1918 addresses to comp B.

Good luck

HTH

lcaruso · ‎02-22-2011

thanks for your post!

My guess is they picked their addresses at random, but I didn't take the time to lookup that network until you mentioned it

guess who it belongs to--worst possible case.U.S. DoD

guess it's time to re-address Company B

hobbe · ‎02-23-2011

;-)

Well its not a problem until something breaks down and you start routing the addresses to the real owners, then you might find yourself in the less than favorable situation that in the midst of a crisis someone comes into the room adressing you: SIR ! I THINK WE NEED TO TALK SIR ! NOW SIR !

and you sit down for a couple of hours trying to explain that no no no you have not tried hacking into their FTP server that just by chance happens to have the same ip address as company B´s FTP server.

It is a very good idea to not use other companys/organisations ip addresses if nothing else just couse the traffic sent in case of an error.

Good luck

HTH

lcaruso · ‎02-23-2011

Thanks. I'm just consulting on this one and can take no responsiblity for the choice made by these companies. I have warned them about it thanks to your post after I decided to check those addresses registered owner.