Yes, the multiple internal/private subnets mapping to a single public IP is very common in the education/enterprise arena. It is the basic hub-spoke topology:
where all spokes connect to needed resources at the hub, and only the hub is connected to the Internet. In the case of K-12 education, we need to run a content filter (by Federal rules) on student Internet connectivity. The most efficient way to do that is to locate the filter (along with other servers and resources) at the hub and then route all Internet traffic through the hub. Each spoke (and the hub) is a different internal/private network subnet ... 10.65.x.x, 10.66.x.x, etc. In my case I have 3M from each spoke to the hub, and then 45M from the hub to the Internet.
In the "old" days ... pre 10.8 ... we had (and still have for some of our oler 10.4 computers) a software update server at each spoke, and computers at each spoke were configured (with the Apple software update script) to get their updates from the update server at their spoke ... iApps as well as OS apps. This worked perfectly!
Now that Apple, in their Orwellian attempt to monitor and control iApps, has introduced this "either-or" attitude about using a local update server OR caching server (but not giving you the option to get iApps from the local update server) they have really hurt schools like mine. Without being able to serve all updates locally on each spoke, updating becomes impossible when you are tryiing to udpate a lab full of computers, and the iApp alone is 1.2G for EACH computer ...and now it must come from the Internet since the caching server is 'broken.'
I currently have case open with Apple Enterprise Support, and will now also get my K-12 Apple Support Tech invloved. I will share this info with them. Perhaps there is some solution that I do not know about, or perhaps there will be a solution created by Apple for situations like mine. I can't see being the only one with this problem, I just think that I may be one of the first to notice it due to my limiited bandwith situation.
Thanks for your insight. Your original post got me thinking and enabled me to identify what *I* feel is the problem. I will keep this thread updated.
M:>