[37938] in Resnet-Forum
Re: Anyone using NAT in Resnet?
daemon@ATHENA.MIT.EDU (Jeff Kell)
Thu Feb 7 11:29:40 2013
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------050001010805050300050803"
Message-ID: <5113D637.3070700@utc.edu>
Date: Thu, 7 Feb 2013 11:28:39 -0500
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: Jeff Kell <jeff-kell@utc.edu>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <47FE4CC0B92ADA478ECC286A11E973012FCB73@SUEX10-mbx-03.ad.syr.edu>
--------------050001010805050300050803
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
On 2/7/2013 11:14 AM, Peter P Morrissey wrote:
>
> Assuming you are logging all the internal IP's and connections, but
> you are using a minimal amount of routable IP's, do you wind up with
> enough information to reliably connect an external IP address provided
> by a DMCA notice to an internal IP address? We are considering moving
> to this model as well, but still trying to understand how this would work.
>
If you can maintain 1-to-1, and use Cisco gear, you just need to monitor
the translation builds and teardowns, e.g.,
Feb 7 00:20:47 kernigan %ASA-6-305009: Built dynamic translation from
general-campus:10.x.x.132 to outside:150.182.x.x
Feb 7 00:20:58 kernigan %ASA-6-305010: Teardown dynamic translation
from general-campus:10.x.x.53 to outside:150.182.x.x duration 4:05:44
Feb 7 00:21:01 kernigan %ASA-6-305010: Teardown dynamic translation
from general-campus:10.x.x.203 to outside:150.182.x.x duration 9:29:51
Feb 7 00:21:04 kernigan %ASA-6-305009: Built dynamic translation from
general-campus:10.x.x.196 to outside:150.182.x.x
This can be tied time-wise to correlate an external IP address to an
internal one.
For DMCA verification, you may want to verify the actual connection
between the outside IP and their reported "monitoring" IP address. You
would need either netflow data from your routers to correlate, or also
log connections on the firewall. If you do the latter, the
internal/external IPs are both logged on the build, e.g.,
Feb 7 00:00:32 ritchie %ASA-6-302013: Built outbound TCP connection
541518059 for outside:75.126.58.195/80 (75.126.58.195/80) to
dorms-inside:10.x.x.201/55473 (150.182.x.x/55473)
Jeff
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--------------050001010805050300050803
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/7/2013 11:14 AM, Peter P Morrissey
wrote:<br>
</div>
<blockquote
cite="mid:47FE4CC0B92ADA478ECC286A11E973012FCB73@SUEX10-mbx-03.ad.syr.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Assuming
you are logging all the internal IP’s and connections, but
you are using a minimal amount of routable IP’s, do you wind
up with enough information to reliably connect an external
IP address provided by a DMCA notice to an internal IP
address? We are considering moving to this model as well,
but still trying to understand how this would work.</span><br>
</p>
</div>
</blockquote>
<br>
If you can maintain 1-to-1, and use Cisco gear, you just need to
monitor the translation builds and teardowns, e.g., <br>
<br>
Feb 7 00:20:47 kernigan %ASA-6-305009: Built dynamic translation
from general-campus:10.x.x.132 to outside:150.182.x.x<br>
Feb 7 00:20:58 kernigan %ASA-6-305010: Teardown dynamic translation
from general-campus:10.x.x.53 to outside:150.182.x.x duration
4:05:44<br>
Feb 7 00:21:01 kernigan %ASA-6-305010: Teardown dynamic translation
from general-campus:10.x.x.203 to outside:150.182.x.x duration
9:29:51<br>
Feb 7 00:21:04 kernigan %ASA-6-305009: Built dynamic translation
from general-campus:10.x.x.196 to outside:150.182.x.x<br>
<br>
This can be tied time-wise to correlate an external IP address to an
internal one.<br>
<br>
For DMCA verification, you may want to verify the actual connection
between the outside IP and their reported "monitoring" IP address.
You would need either netflow data from your routers to correlate,
or also log connections on the firewall. If you do the latter, the
internal/external IPs are both logged on the build, e.g.,<br>
<br>
Feb 7 00:00:32 ritchie %ASA-6-302013: Built outbound TCP connection
541518059 for outside:75.126.58.195/80 (75.126.58.195/80) to
dorms-inside:10.x.x.201/55473 (150.182.x.x/55473)<br>
<br>
Jeff<br>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href="http://LISTSERV.ND.EDU/archives/resnet-l.html" target="_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--------------050001010805050300050803--
