[37941] in Resnet-Forum
Re: Anyone using NAT in Resnet?
daemon@ATHENA.MIT.EDU (Peter P Morrissey)
Fri Feb 8 08:29:29 2013
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_47FE4CC0B92ADA478ECC286A11E973012FDCBASUEX10mbx03adsyre_"
MIME-Version: 1.0
Message-ID: <47FE4CC0B92ADA478ECC286A11E973012FDCBA@SUEX10-mbx-03.ad.syr.edu>
Date: Fri, 8 Feb 2013 13:27:45 +0000
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: Peter P Morrissey <ppmorris@syr.edu>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <7F8CAE21F9C1C94A90F11320EF3974CE55F263B6@LUEMSMAIL01.University.liberty.edu>
--_000_47FE4CC0B92ADA478ECC286A11E973012FDCBASUEX10mbx03adsyre_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
"... we can, many times, trace this back to a particular user..."
Thanks Bruce. That confirmed my concern. We are used to being able to do th=
is every time, not many times.
Pete
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Osborne, =
Bruce W
Sent: Friday, February 08, 2013 8:10 AM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: Anyone using NAT in Resnet?
Here at Liberty University we can, many times, trace this back to a particu=
lar user.
We have Procera PacketLogic devices inside and outside our edge firewalls. =
The outside devices are for bandwidth shaping & QoS. The inside devices ar=
e used for bandwidth management. They receive data from our Aruba ClearPass=
RADIUS servers that map a user name to an IP address. For non-802.1x devic=
es like game consoles, the device has been registered, so the PacketLogic b=
oxes have that user name.
This system allows us to warn heavy users and restrict their Internet bandw=
idth speed if they use too much. The user name to inside IP address mapping=
allows us to trace this back to an individual user, in most cases.
In the future , we hope to allow heavy users to be able to purchase additio=
nal bandwidth to help fund our ever expanding Internet connections.
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Jeff Kell [mailto:jeff-kell@utc.edu]
Sent: Thursday, February 7, 2013 11:29 AM
Subject: Re: Anyone using NAT in Resnet?
On 2/7/2013 11:14 AM, Peter P Morrissey wrote:
Assuming you are logging all the internal IP's and connections, but you are=
using a minimal amount of routable IP's, do you wind up with enough inform=
ation to reliably connect an external IP address provided by a DMCA notice =
to an internal IP address? We are considering moving to this model as well,=
but still trying to understand how this would work.
If you can maintain 1-to-1, and use Cisco gear, you just need to monitor th=
e translation builds and teardowns, e.g.,
Feb 7 00:20:47 kernigan %ASA-6-305009: Built dynamic translation from gene=
ral-campus:10.x.x.132 to outside:150.182.x.x
Feb 7 00:20:58 kernigan %ASA-6-305010: Teardown dynamic translation from g=
eneral-campus:10.x.x.53 to outside:150.182.x.x duration 4:05:44
Feb 7 00:21:01 kernigan %ASA-6-305010: Teardown dynamic translation from g=
eneral-campus:10.x.x.203 to outside:150.182.x.x duration 9:29:51
Feb 7 00:21:04 kernigan %ASA-6-305009: Built dynamic translation from gene=
ral-campus:10.x.x.196 to outside:150.182.x.x
This can be tied time-wise to correlate an external IP address to an intern=
al one.
For DMCA verification, you may want to verify the actual connection between=
the outside IP and their reported "monitoring" IP address. You would need=
either netflow data from your routers to correlate, or also log connection=
s on the firewall. If you do the latter, the internal/external IPs are bot=
h logged on the build, e.g.,
Feb 7 00:00:32 ritchie %ASA-6-302013: Built outbound TCP connection 541518=
059 for outside:75.126.58.195/80 (75.126.58.195/80) to dorms-inside:10.x.x.=
201/55473 (150.182.x.x/55473)
Jeff
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_47FE4CC0B92ADA478ECC286A11E973012FDCBASUEX10mbx03adsyre_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Times-Roman;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">“…</span><spa=
n style=3D"font-size:11.0pt;font-family:"Calibri","sans-seri=
f";color:#1F497D"> we can, many times, trace this back to a particular=
user…”<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Thanks Bruce. That confir=
med my concern. We are used to being able to do this every time, not many t=
imes.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Pete</span><span style=3D=
"font-size:11.0pt;font-family:"Calibri","sans-serif";co=
lor:#1F497D"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif";color:windowtext">From:</span></b><spa=
n style=3D"font-size:10.0pt;font-family:"Tahoma","sans-serif=
";color:windowtext"> Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU]
<b>On Behalf Of </b>Osborne, Bruce W<br>
<b>Sent:</b> Friday, February 08, 2013 8:10 AM<br>
<b>To:</b> RESNET-L@LISTSERV.ND.EDU<br>
<b>Subject:</b> Re: Anyone using NAT in Resnet?<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Here at Liberty Universit=
y we can, many times, trace this back to a particular user.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">We have Procera PacketLog=
ic devices inside and outside our edge firewalls. The outside devices are f=
or bandwidth shaping & QoS. The inside devices are used
for bandwidth management. They receive data from our Aruba ClearPass RADIU=
S servers that map a user name to an IP address. For non-802.1x devices lik=
e game consoles, the device has been registered, so the PacketLogic boxes h=
ave that user name.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">This system allows us to =
warn heavy users and restrict their Internet bandwidth speed if they use to=
o much. The user name to inside IP address mapping allows
us to trace this back to an individual user, in most cases.<o:p></o:p></sp=
an></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">In the future , we hope t=
o allow heavy users to be able to purchase additional bandwidth to help fun=
d our ever expanding Internet connections.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<div>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s=
erif";color:#001B3E"><o:p> </o:p></span></b></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s=
erif";color:#001B3E">Bruce Osborne</span></b><span style=3D"font-size:=
10.0pt;font-family:"Verdana","sans-serif";color:#001B3E=
"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s=
erif";color:#001B3E">Network Engineer</span></i><span style=3D"font-si=
ze:11.0pt;font-family:"Cambria","serif";color:#1F497D">=
<o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s=
erif";color:#001B3E">IT Network Services</span></b><span style=3D"font=
-size:11.0pt;font-family:"Cambria","serif";color:#1F497=
D"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:11.0pt;font-family:"Calibri","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:11.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s=
erif";color:#001B3E">(434) 592-4229</span></b><span style=3D"font-size=
:11.0pt;font-family:"Cambria","serif";color:#1F497D"><o=
:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><spa=
n style=3D"font-size:11.0pt;font-family:"Calibri","sans-seri=
f";color:#001B3E"> </span><span style=3D"font-size:11.0pt;font-fa=
mily:"Cambria","serif";color:#1F497D"><o:p></o:p></span=
></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><b><=
span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s=
erif";color:#AA0000">LIBERTY UNIVERSITY</span></b><b><span style=3D"fo=
nt-size:11.0pt;font-family:"Verdana","sans-serif";color=
:#AA0000"><o:p></o:p></span></b></p>
<p class=3D"MsoNormal" style=3D"margin-right:.5in;text-autospace:none"><i><=
span style=3D"font-size:11.0pt;font-family:Times-Roman;color:#AA0000">Train=
ing Champions for Christ since 1971<o:p></o:p></span></i></p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:"=
;Calibri","sans-serif";color:windowtext">From:</span></b><sp=
an style=3D"font-size:11.0pt;font-family:"Calibri","sans-ser=
if";color:windowtext"> Jeff Kell [<a href=3D"mailto:jeff-kell@utc.edu"=
>mailto:jeff-kell@utc.edu</a>]
<br>
<b>Sent:</b> Thursday, February 7, 2013 11:29 AM<br>
<b>Subject:</b> Re: Anyone using NAT in Resnet?<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<div>
<p class=3D"MsoNormal">On 2/7/2013 11:14 AM, Peter P Morrissey wrote:<o:p><=
/o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Assuming you are logging =
all the internal IP’s and connections, but you are using a minimal am=
ount of routable IP’s, do you wind up with enough information
to reliably connect an external IP address provided by a DMCA notice to an=
internal IP address? We are considering moving to this model as well, but =
still trying to understand how this would work.</span><o:p></o:p></p>
</blockquote>
<p class=3D"MsoNormal"><br>
If you can maintain 1-to-1, and use Cisco gear, you just need to monitor th=
e translation builds and teardowns, e.g.,
<br>
<br>
Feb 7 00:20:47 kernigan %ASA-6-305009: Built dynamic translation from=
general-campus:10.x.x.132 to outside:150.182.x.x<br>
Feb 7 00:20:58 kernigan %ASA-6-305010: Teardown dynamic translation f=
rom general-campus:10.x.x.53 to outside:150.182.x.x duration 4:05:44<br>
Feb 7 00:21:01 kernigan %ASA-6-305010: Teardown dynamic translation f=
rom general-campus:10.x.x.203 to outside:150.182.x.x duration 9:29:51<br>
Feb 7 00:21:04 kernigan %ASA-6-305009: Built dynamic translation from=
general-campus:10.x.x.196 to outside:150.182.x.x<br>
<br>
This can be tied time-wise to correlate an external IP address to an intern=
al one.<br>
<br>
For DMCA verification, you may want to verify the actual connection between=
the outside IP and their reported "monitoring" IP address. =
You would need either netflow data from your routers to correlate, or also=
log connections on the firewall. If you do the
latter, the internal/external IPs are both logged on the build, e.g.,<br>
<br>
Feb 7 00:00:32 ritchie %ASA-6-302013: Built outbound TCP connection 5=
41518059 for outside:75.126.58.195/80 (75.126.58.195/80) to dorms-inside:10=
.x.x.201/55473 (150.182.x.x/55473)<br>
<br>
Jeff<o:p></o:p></p>
<p class=3D"MsoNormal"><span style=3D"color:windowtext">___________________=
________________________________ You are subscribed to the ResNet-L mailing=
list.
<o:p></o:p></span></p>
<p><span style=3D"color:windowtext">To subscribe, unsubscribe or search the=
archives, go to
<a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank"=
>http://LISTSERV.ND.EDU/archives/resnet-l.html</a> ________________________=
___________________________
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:windowtext">___________________=
________________________________ You are subscribed to the ResNet-L mailing=
list.
<o:p></o:p></span></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--_000_47FE4CC0B92ADA478ECC286A11E973012FDCBASUEX10mbx03adsyre_--
