Hi all, we are currently migrating to a new ISP, and we're wondering if can we use our old IP block as the internal NAT address with ATT's new IP block. We're planning on using MIP on a netscreen 25 f/w. It will be like this
server/clients (208.36.7.x) > ATT ip (12.54.120.x)>internet, that way the internal network is not changed, the DHCP servers will continue to provide addresses to clients, there's also DNS, email and web servers in the old IP block. Can anyone shed any light on this, what would be our best scenario, thanks in advanced.
To be honest in my opionion trying to do what you want will make more work that just migrating away from the old IP addressing.
Why do you not just use an internal ip address range from RFC1918 - and NAT on your firewall, that way it makes not difference if you change providers for internal services.
Your DNS/Email pointer records will need to be changed to the new internet IP addresses - there is no way around that.
Glad to hear you got the address translation problems worked out.
Yes you can do what you mention above but you will need to set up static nat translations (either 1 to 1 or forward any traffic on a given port to a specific internal address) for any servers that need to be accessed from the internet. And your dns entries need to be changed on your external facing dns server - especially important will be your mx record and any web server addresses.
It really wouldn't matter if you were using rfc 1918 addresses or the ones you are using now. Nat needs to be set up so that internal users are all natted to a single or group of addresses on there way out and your servers/services that are internet accessible are translated on the way in.
Hi Greg, we actually tried to convert over last weekend, the old IP block wouldn't work on the FW, it only took private IP's (192.168.1.x)
Hmm sounds like a "feature" of the juniper device.
It's better that way in the end because if an internal user or server every needed to go to one of the real ip addresses you were using they would be unable to do so. Unlikely but possible scenario.
Thanks for the reply guys, so we need to use private addressing internally, and use public ip for servers. Can anyone give us a diagram or guide that we can use as a cheet sheet, thanks.
At the end of the day - this is why rfc1918 addresses were reserved for internal use, the the use of externally routable IP's were not used for private networks.
At the end of the day you have to manage the network, and using private addressing for internal machines/servers is best practise.
Personally - yes I would migrate to an internal IP subnet scheme.
The best way you can do this is by actually setting up the spare firewall and to do it in a "simulated" environment first.
First draw it up on a board, every computer that has a connection through the units and all of the clouds.
Check that you do not have locked ip's ie they are locked into the software somewhere fx for licensing or hardcoded into some software.
Take your spare (if you do not have a spare firewall then this is the time to get one) and configure it as it should be.
Test the config with a couple of portable computers so that all the tunnels through the firewall is correct and all the nat, static and routing is correct.
Then write a idiotproof scheme to the server operators stating what ip the server has today and what ip they should change it into.
Then you do a point by point scheme over everything that should be done in order to do the switchover, here you put fx change the dns addressing scheme and such.
This is also a nice opportunity to set power cabeling and such things correct if they are not.