[13521] in North American Network Operators' Group
Re: How to use Cisco's NAT
daemon@ATHENA.MIT.EDU (Allan Chong)
Sun Nov 9 22:14:38 1997
Date: Sun, 09 Nov 1997 19:09:43 -0800
From: Allan Chong <allan@alum.mit.edu>
To: Marcos Della <mdella@cstone.com>
CC: nanog@merit.edu
Marcos Della wrote:
>
> Does anyone know where there are some pointers on using the 11.2 NAT
I've installed it for going on 6 sites now. There are a couple of
quirks on the 1600 (bug) and 2500, but for the most part it
works pretty well. We cutover one site with 250 workstations and
30 remotes sites from one internet provider to another in 5 minutes.
I've had zero problems with NAT on the 3600 and 4500 series.
One possible design flaw is that it translates DNS queries (packet
payload), but not zone transfers. This presents a problem if you
have primary DNS server inside and secondary outside.
I think this is scheduled to be fixed.
Cisco had a few tips for me on a quirky problem...
1. Use a normal access-list (nonextended) for the NAT list.
2. For small sites, overload a single public address rather than many.
3. Don't put a internal, publically addressable network as "outside"
if you don't have to.
4. For right now, avoid using any statically mapped addresses for
surfing the net if you can. There is a bug where a statically
mapped address will also grab a pool address for outgoing
connections and then problems will crop up when both are being
used.
I can include some sample configs privately through email if anyone
wants.
allan
--
Allan Chong allan@alum.mit.edu
Dad, what causes wind?
Trees sneezing.
Really?
No, but the truth is more complicated.
--Calvin and Hobbes
