[37933] in Resnet-Forum
Re: Anyone using NAT in Resnet?
daemon@ATHENA.MIT.EDU (Jeff Kell)
Wed Feb 6 20:08:03 2013
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------000400050407080306060601"
Message-ID: <5112FE3D.5060505@utc.edu>
Date: Wed, 6 Feb 2013 20:07:09 -0500
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: Jeff Kell <jeff-kell@utc.edu>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <6173B75A657B934D9685667806E6C818247A5252@exmbx13.ex.ad3.ucdavis.edu>
--------------000400050407080306060601
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
On 2/6/2013 7:05 PM, Todd Chapman wrote:
>
> Hello,
>
>
>
> We are running into IP space limitations here and are considering
> using NAT for the student housing network. We have a Procera PL8820
> handling the bandwidth enforcement duties. My question is, has anyone
> out there done this with a similar setup, and if so are there any
> 'gotcha' issues to be aware of?
>
>
>
We NAT our entire campus :) Default deny inbound. If you want to run a
public-facing service, you apply for a static NAT and specify which
ports/protocols are to be exposed. Everything else is thrown into
1-to-1 dynamic NAT pools with somewhat conservative idle timeouts that
result in a teardown of the translation and return to the pool.
Public-facing services are reduced to a few /24s, everything else is
blocked.
You must be prepared with a "healthy" logging facility to track your
internal-to-external mappings, but if you have the space to maintain
1-to-1 dynamic mappings, you need only track the setups and teardowns of
the translations. If you do overload NAT / PAT then you must log each
connection (which gets huge and difficult to track).
Depending on your device... you may be able to compromise. We have a
large 1-to-1 NAT pool and a much smaller overload pool in the event we
run out of IPs.
You likely want NAT performed as close to your border as possible, so
that any intermediate logging/inspection (netflow, IDS/IPS, firewall,
etc) will be referencing internal IPs as opposed to the externals you
will have to track back down to get the true source.
Really depends on your NAT policy and device capabilities, it is a
potential choke point (DoS or DDoS). If you permit P2P traffic, it will
tax your NAT resources further (single clients can generate thousands of
connections) but that is essentially true of any stateful firewall, NAT
or not.
Good luck :) If you have any more specific questions, feel free to
contact me offline.
Jeff
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--------------000400050407080306060601
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/6/2013 7:05 PM, Todd Chapman
wrote:<br>
</div>
<blockquote
cite="mid:6173B75A657B934D9685667806E6C818247A5252@exmbx13.ex.ad3.ucdavis.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are running into IP space limitations
here and are considering using NAT for the student housing
network. We have a Procera PL8820 handling the bandwidth
enforcement duties. My question is, has anyone out there done
this with a similar setup, and if so are there any ‘gotcha’
issues to be aware of?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p><br>
</p>
</div>
</blockquote>
<br>
We NAT our entire campus :) Default deny inbound. If you want to
run a public-facing service, you apply for a static NAT and specify
which ports/protocols are to be exposed. Everything else is thrown
into 1-to-1 dynamic NAT pools with somewhat conservative idle
timeouts that result in a teardown of the translation and return to
the pool. Public-facing services are reduced to a few /24s,
everything else is blocked.<br>
<br>
You must be prepared with a "healthy" logging facility to track your
internal-to-external mappings, but if you have the space to maintain
1-to-1 dynamic mappings, you need only track the setups and
teardowns of the translations. If you do overload NAT / PAT then
you must log each connection (which gets huge and difficult to
track).<br>
<br>
Depending on your device... you may be able to compromise. We have
a large 1-to-1 NAT pool and a much smaller overload pool in the
event we run out of IPs.<br>
<br>
You likely want NAT performed as close to your border as possible,
so that any intermediate logging/inspection (netflow, IDS/IPS,
firewall, etc) will be referencing internal IPs as opposed to the
externals you will have to track back down to get the true source.<br>
<br>
Really depends on your NAT policy and device capabilities, it is a
potential choke point (DoS or DDoS). If you permit P2P traffic, it
will tax your NAT resources further (single clients can generate
thousands of connections) but that is essentially true of any
stateful firewall, NAT or not.<br>
<br>
Good luck :) If you have any more specific questions, feel free to
contact me offline.<br>
<br>
Jeff<br>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href="http://LISTSERV.ND.EDU/archives/resnet-l.html" target="_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--------------000400050407080306060601--
