Eric Vyncke wrote:
> All your internal PCs can use 'illegal' IP addresses (or even
> better the 'private' addresses like 192.168.*.*) internaly.
> As people going to the Internet will use the proxy server,
> the source IP address of the IP datagram sent to the Internet
> will always be the one of the proxy server.
While most regulars on this list will know this, I do want to stress the
importance of using real "private" or "reserved" numbers. These ranges
are:
10.0.0.0 - 10.254.254.0
172.16.0.0 - 172.31.254.0
192.168.0.0 - 192.168.254.0
Do not simply grab any random IP range and expect it to work 100% of the
time. For example, I was recently involved with troubleshooting a rather
large network that was having communication problems on some of their
subnets. The organization was using NAT and the original Admin had
mistakenly assumed (presumably) that the entire 192.x.x.x range was
considered private.
The issue they where having was that some of their subnets where unable
to communicate with the Internet while others where failing on DNS
lookups. The root problem? They had just subnetted a new network using
the address space 192.52.71.0. Some of you may recognize this as the
address space BBN uses for some of their major servers. Since BBN was
their ISP, some segments where being routed out to the Internet instead
of communicating internally because the path was shorter. On other
segments, the users that wanted to reach the BBN systems for DNS queries
where having the opposite problem (being routed to the internal network
192.52.71.0 because it was closer).
I've seen one other organization have this problem. Using NAT, they
where able to communicate with anyone out on the Internet except for
Sun. It turned out that the random network number they chose was the
legal address range that Sun was using.
Cheers,
Chris
References:
|
|
