0

I just started working at a small-medium sized business after graduating school. So much of my knowledge is high level concepts without a lot of hands on.

My understanding that according to rfc1918 only the following IP ranges are for private IPs:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

How does this concept work with NAT firewalls? Does it not apply to internal IP addresses behind a NAT firewall?

The reason I ask is because our internal network is on 199.5.83.0/24. My first thought when seeing this is that isn't private IP space. This internal network is behind a NAT firewall with an external IP of 74.4.9.x.

Does this setup make sense? Does it go against best practices? Can someone try and give me a brief explanation to firm up these concepts for me? Any links to relative reading would also be appreciated.

CT.
  • 731
  • 2
  • 8
  • 20

5 Answers5

5

Nat firewalls translate your external ip address to your internal ip address. Have a look at the accepted answer on this now famous question about subnetting, which should answer your questions.

Private IPs, in the ranges that you show in your question, are not publicly routable so need an external address to make it out onto the internet, hence NAT

Community
  • 1
GregD
  • 8,713
  • 1
  • 23
  • 35
3

There is nothing saying that only the private address ranges can be used with NAT. Any address range is fine.

Ignacio Vazquez-Abrams
  • 45,019
  • 5
  • 78
  • 84
  • 2
    actually that's wrong, if your routing, then your going to have problems. I have had a customer that had selected a range at random, they called one saying they could not access ibm.com for software updates. Guess what? They had selected an internal subnet which was the same as ibm's routable address range. Any machine on that network thought that the machine it was trying to reach was on the LOCAL subnet. Why has this answer been accepted it's just wrong? – The Unix Janitor Nov 22 '10 at 20:27
  • 2
    @user37899: Because it's not wrong. Your client was just unlucky in their choice of range to use. – Ignacio Vazquez-Abrams Nov 22 '10 at 20:29
  • 2
    so, my point being, if you don't use rfc private range's , then you could get a collision and loss of connectivity? Your wrong. unless you mean that I can pour water over my computer, okay it will stop working, but hey i can still pour water over it. Your wrong. – The Unix Janitor Nov 22 '10 at 20:31
  • 2
    @user37899: You being right does not make me wrong, since our arguments are not actually opposed. – Ignacio Vazquez-Abrams Nov 22 '10 at 20:33
  • i think our argument is *very* opposed. Which bit of your answer 'Any address range is fine.' is supposed to be correct? Wow, your never going learn anything if you can't admit to making a mistake. I've posted my comment as a answer. :-) no offence. – The Unix Janitor Nov 22 '10 at 20:36
  • 3
    @user - if both the outside NAT address *and* the internal NAT range have been allocated to you, then they're yours to do whatever you want with. They can be used for NAT or without NAT, depending on your specific need. You're right - if one just picks a netblock willy nilly then yes, the chances of routing issues are there. If the block is assigned to you, though, then there will be no issues. – EEAA Nov 22 '10 at 21:07
  • I made a commet further up the convo to this - He's right. – Mister IT Guru Jan 21 '11 at 10:41
1

If you're routing, then you're going to have problems. I have had a customer that had selected a range at random, they called one saying they could not access ibm.com for software updates. Guess what? They had selected an internal subnet which was the same as ibm's routable address range. Any machine on that network thought that the machine it was trying to reach was on the LOCAL subnet. Why has this answer been accepted it's just wrong?

try setting your local subnet to the ip address of serverfault.com :-(.

If you're using nat, and you're connected to the internet, use rfc 1918 address, because they are not defined so you can use them, the are defined so that the internet can't ;-).

EEAA
  • 108,414
  • 18
  • 172
  • 242
The Unix Janitor
  • 2,388
  • 14
  • 13
  • If my internal IP range was the same as IBMs, but my external IP was a unique address in public space, wouldn't IBM see my external IP when visiting them? – CT. Nov 22 '10 at 21:06
  • @CT if that were the case, traffic destined to IBM would not make it out of your network in the first place. – EEAA Nov 22 '10 at 21:10
  • So if my main question was, How does this concept work with NAT firewalls? Does it not apply to internal IP addresses behind a NAT firewall? - The answer would be it does apply to internal addresses behind a NAT firewall? – CT. Nov 22 '10 at 21:34
  • What concept? If you want clear concise answers, you'll need to provide clear concise questions. – EEAA Nov 22 '10 at 21:36
  • The concept of private IP addresses vs public IP addresses. – CT. Nov 22 '10 at 21:43
1

Off the top of my head, the only problem you'll face is when you try to access resources that truly own addresses within that public range. Otherwise, it shouldn't be an issue - you're router will know how to route to that "private" range and should handle NAT properly.

You might want to put a project together to address that at some point though.

CurtM
  • 2,870
  • 1
  • 16
  • 11
0

Your IP range is public, and should not need NAT translation support. Current practice is to use public addresses only for servers in the DMZ. Many organizations have migrated their internal network onto the private ranges.

The private ranges provide some security from the Internet as they are only reachable with NAT support from the firewall. They do require NAT support to reach the Internet as well.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Because an IP is public does not mean it does not need NAT, how do servers being an Hardware Load Balancer work? The private ranges have been specifically reserved, because that IP range will not be repeated somewhere else on the internet. Also, they *would* be reachable if you could route to them via the internet. Log Me In Hamachi, is about to fall victim to this issue, as some 5.x.x.x addresses are to be released. Google will back me up! :) – Mister IT Guru Jan 21 '11 at 10:39
  • @Mister IP Guru: Hardware load balancers work by redirecting the connection to another server. Load balancers often proxy the request to other servers. Private addresses are specifically classified as non routeable allowing duplication. 5.x.x.x were always routeable, but may not have been allocated. Using unallocated addresses for private purposes is risky. – BillThor Jan 22 '11 at 05:45