[Note: I am not an IT tech, I just have a degree in networking and I work for a company that fairly recently got rid of their IT manager due to incompetence and twattery]
So I was talking to one of our tech guys. Basically I wanted an online banking site unblocking by the 3rd party that handles our upstream filtering. After a lunchbreak well spent with a pen and a bit of paper I deduced the following:
We have an ASA into which our fibre connection runs, this belongs to the other company and they have exclusive control over the firewall rules. This box is also set up to handle NAT for IPs within the network, and we have a range of addresses to assign in the 10.2.x.x range.
However, the previous IT manager took it upon himself to put in a proxy server between the ASA and the rest of the network, and have one of his own core switches handle NAT, handing out IPs in the 172.16.x.x range. The result of this is that out of several hundred IPs in the 10.2 range, there are 7 in use and all of these are the outside NIC of the proxy server. The inside NIC of the proxy server is in the 172.16 range and so NAT transition between the two is pretty much
due to the COMPLETELY DIFFERENT BLOODY SUBNET THE TWO INTERFACES ARE ON.
Naturally this makes it incredibly difficult to unblock traffic on port x between a device with an IP in a range the filtering company will recognise and the outside world.
More and more I'm getting the impression the previous manager was a shaved monkey with a chronic coconut-induced head trauma...
So I was talking to one of our tech guys. Basically I wanted an online banking site unblocking by the 3rd party that handles our upstream filtering. After a lunchbreak well spent with a pen and a bit of paper I deduced the following:
We have an ASA into which our fibre connection runs, this belongs to the other company and they have exclusive control over the firewall rules. This box is also set up to handle NAT for IPs within the network, and we have a range of addresses to assign in the 10.2.x.x range.
However, the previous IT manager took it upon himself to put in a proxy server between the ASA and the rest of the network, and have one of his own core switches handle NAT, handing out IPs in the 172.16.x.x range. The result of this is that out of several hundred IPs in the 10.2 range, there are 7 in use and all of these are the outside NIC of the proxy server. The inside NIC of the proxy server is in the 172.16 range and so NAT transition between the two is pretty much
due to the COMPLETELY DIFFERENT BLOODY SUBNET THE TWO INTERFACES ARE ON.Naturally this makes it incredibly difficult to unblock traffic on port x between a device with an IP in a range the filtering company will recognise and the outside world.
More and more I'm getting the impression the previous manager was a shaved monkey with a chronic coconut-induced head trauma...