[37945] in Resnet-Forum
Re: Anyone using NAT in Resnet?
daemon@ATHENA.MIT.EDU (Hall, Rand)
Mon Feb 11 13:52:56 2013
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0016e68ee146a71a7204d576da80
Message-ID: <CANajV=PsC5Fu3m+bc-MwnJXmK-GvrVEt21vnVWLeKxzZKyfd6w@mail.gmail.com>
Date: Mon, 11 Feb 2013 13:12:18 -0500
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: "Hall, Rand" <hallr@MERRIMACK.EDU>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <47FE4CC0B92ADA478ECC286A11E973012FCB73@SUEX10-mbx-03.ad.syr.edu>
--0016e68ee146a71a7204d576da80
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
There's no reason you shouldn't be able to do it. You just need to log
the translation
builds and teardowns. You have a much bigger client base. I image you'll
want to use a larger pool of PAT addresses than our 1. You'll cycle through
port translations pretty quick if you don't. :-)
In our Cisco ASA days we just logged the translations, grepped them for the
inside troublemaker, and then found them in our NAC (Impulse). Palo Alto
pulls it all together for us now 100% of the time (with the exception of
RIAA Ares notifications which are broken...and they know it). It's almost
like magic. I tried posting a helpful screen shot but it got bounced.Check
it out here:
https://docs.google.com/file/d/0B6qVEYXrgauKc0kzYnAwX1kzcm8/edit?usp=3Dshar=
ing
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532
rand.hall@merrimack.edu
If I had an hour to save the world, I would spend 59 minutes defining the
problem and one minute finding solutions. =96 Einstein
On Thu, Feb 7, 2013 at 11:14 AM, Peter P Morrissey <ppmorris@syr.edu> wrote=
:
> Assuming you are logging all the internal IP=92s and connections, but yo=
u
> are using a minimal amount of routable IP=92s, do you wind up with enough
> information to reliably connect an external IP address provided by a DMCA
> notice to an internal IP address? We are considering moving to this model
> as well, but still trying to understand how this would work. ****
>
> Pete M.****
>
> ** **
>
> *From:* Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] *On Behalf Of *Hal=
l,
> Rand
> *Sent:* Thursday, February 07, 2013 8:18 AM
> *To:* RESNET-L@LISTSERV.ND.EDU
> *Subject:* Re: Anyone using NAT in Resnet?****
>
> ** **
>
> We've been doing NAT overload for ages with no problems. Not a single end
> user machine has an routable address or a 1-1 NAT.****
>
> ** **
>
> As Jeff notes, you want the NAT to be done very close to the border.
> You'll want your Procera inside for sure.****
>
> ** **
>
> Put some thought into logging. DMCA tracing can be fun if you don't :-)**=
*
> *
>
>
> ****
>
> ****
>
> Rand****
>
> ****
>
> Rand P. Hall****
>
> Director, Network Services askIT!****
>
> Merrimack College****
>
> 978-837-3532****
>
> rand.hall@merrimack.edu****
>
> ** **
>
> If I had an hour to save the world, I would spend 59 minutes defining the
> problem and one minute finding solutions. =96 Einstein ****
>
> ** **
>
> On Wed, Feb 6, 2013 at 7:05 PM, Todd Chapman <tachapman@ucdavis.edu>
> wrote:****
>
> Hello,****
>
> ****
>
> We are running into IP space limitations here and are considering using
> NAT for the student housing network. We have a Procera PL8820 handling th=
e
> bandwidth enforcement duties. My question is, has anyone out there done
> this with a similar setup, and if so are there any =91gotcha=92 issues to=
be
> aware of?****
>
> ****
>
> Thanks,****
>
> Todd Chapman****
>
> UC Davis****
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list. ****
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html____________________________=
_______________________
> ****
>
> ** **
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list. ****
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html____________________________=
_______________________
> ****
> ___________________________________________________ You are subscribed
> to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html____________________________=
_______________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--0016e68ee146a71a7204d576da80
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><span style=3D"font-family:arial,sans-serif;font-size:13px=
">There's no reason you shouldn't be able to do it. You just need t=
o log the=A0</span><span style=3D"font-family:arial,sans-serif;font-size:13=
px">translation builds and teardowns. You have a much bigger client base. I=
image you'll want to use a larger pool of PAT addresses than our 1. Yo=
u'll cycle through port translations pretty quick if you don't. :-)=
</span><div style=3D"font-family:arial,sans-serif;font-size:13px">
<font face=3D"arial, sans-serif"><br></font></div><div style=3D"font-family=
:arial,sans-serif;font-size:13px"><font face=3D"arial, sans-serif">In our C=
isco ASA days we just logged the translations, grepped them for the inside =
troublemaker, and then found them in our NAC (Impulse). Palo Alto pulls it =
all together for us now 100% of the time (with the exception of RIAA Ares n=
otifications which are broken...and they know it). It's almost like mag=
ic. I tried posting a helpful screen shot but it got bounced.Check it out h=
ere:</font></div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><font face=3D"ar=
ial, sans-serif"><br></font></div><div><font face=3D"arial, sans-serif"><a =
href=3D"https://docs.google.com/file/d/0B6qVEYXrgauKc0kzYnAwX1kzcm8/edit?us=
p=3Dsharing">https://docs.google.com/file/d/0B6qVEYXrgauKc0kzYnAwX1kzcm8/ed=
it?usp=3Dsharing</a><br>
</font></div><div><font face=3D"arial, sans-serif"><br></font></div><div cl=
ass=3D"gmail_extra"><br clear=3D"all"><div><div> =A0 =A0 =A0 =A0 =A0 =A0</d=
iv><div>Rand</div><div>=A0</div><div>Rand P. Hall</div><div>Director, Netwo=
rk Services=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 askIT!</div>
<div>Merrimack College</div><div>978-837-3532</div><div><a href=3D"mailto:r=
and.hall@merrimack.edu" target=3D"_blank">rand.hall@merrimack.edu</a></div>=
<div><br></div><div><span style=3D"color:rgb(85,85,85);font-family:Verdana,=
'BitStream vera Sans',Helvetica,sans-serif;font-size:12px;line-heig=
ht:17px;background-color:rgb(255,255,255)">If I had an hour to save the wor=
ld, I would spend 59 minutes defining the problem and one minute finding so=
lutions. =96 Einstein</span>
</div></div>
<br><br><div class=3D"gmail_quote">On Thu, Feb 7, 2013 at 11:14 AM, Peter P=
Morrissey <span dir=3D"ltr"><<a href=3D"mailto:ppmorris@syr.edu" target=
=3D"_blank">ppmorris@syr.edu</a>></span> wrote:<br><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border=
-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p class=3D""><span style=3D"font-size:11pt;font-family:Calibri,sans-serif;=
color:rgb(31,73,125)">Assuming you are logging all the internal IP=92s and =
connections, but you are using a minimal amount of routable IP=92s, do you =
wind up with enough information
to reliably connect an external IP address provided by a DMCA notice to an=
internal IP address? We are considering moving to this model as well, but =
still trying to understand how this would work.
<u></u><u></u></span></p>
<p class=3D""><span style=3D"font-size:11pt;font-family:Calibri,sans-serif;=
color:rgb(31,73,125)">Pete M.<u></u><u></u></span></p>
<p class=3D""><span style=3D"font-size:11pt;font-family:Calibri,sans-serif;=
color:rgb(31,73,125)"><u></u>=A0<u></u></span></p>
<div style=3D"border-style:solid none none;border-top-color:rgb(181,196,223=
);border-top-width:1pt;padding:3pt 0in 0in">
<p class=3D""><b><span style=3D"font-size:10pt;font-family:Tahoma,sans-seri=
f">From:</span></b><span style=3D"font-size:10pt;font-family:Tahoma,sans-se=
rif"> Resnet Forum [mailto:<a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" targ=
et=3D"_blank">RESNET-L@LISTSERV.ND.EDU</a>]
<b>On Behalf Of </b>Hall, Rand<br>
<b>Sent:</b> Thursday, February 07, 2013 8:18 AM<br>
<b>To:</b> <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU" target=3D"_blank">RE=
SNET-L@LISTSERV.ND.EDU</a><br>
<b>Subject:</b> Re: Anyone using NAT in Resnet?<u></u><u></u></span></p>
</div>
<p class=3D""><u></u>=A0<u></u></p>
<div>
<p class=3D"">We've been doing NAT overload for ages with no problems. =
Not a single end user machine has an routable address or a 1-1 NAT.<u></u><=
u></u></p>
<div>
<p class=3D""><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"">As Jeff notes, you want the NAT to be done very close to the =
border. You'll want your Procera inside for sure.<u></u><u></u></p>
</div>
<div>
<p class=3D""><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"">Put some thought into logging. DMCA tracing can be fun if you=
don't :-)<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D""><br clear=3D"all">
<u></u><u></u></p>
<div>
<div>
<p class=3D"">=A0 =A0 =A0 =A0 =A0 =A0<u></u><u></u></p>
</div>
<div>
<p class=3D"">Rand<u></u><u></u></p>
</div>
<div>
<p class=3D"">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"">Rand P. Hall<u></u><u></u></p>
</div>
<div>
<p class=3D"">Director, Network Services=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0 askIT!<u></u><u></u></p>
</div>
<div>
<p class=3D"">Merrimack College<u></u><u></u></p>
</div>
<div>
<p class=3D""><a href=3D"tel:978-837-3532" value=3D"+19788373532" target=3D=
"_blank">978-837-3532</a><u></u><u></u></p>
</div>
<div>
<p class=3D""><a href=3D"mailto:rand.hall@merrimack.edu" target=3D"_blank">=
rand.hall@merrimack.edu</a><u></u><u></u></p>
</div>
<div>
<p class=3D""><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D""><span style=3D"font-size:9pt;font-family:Verdana,sans-serif;c=
olor:rgb(85,85,85);background-color:white">If I had an hour to save the wor=
ld, I would spend 59 minutes defining the problem and one minute finding so=
lutions. =96 Einstein</span>
<u></u><u></u></p>
</div>
</div>
<p class=3D"" style=3D"margin-bottom:12pt"><u></u>=A0<u></u></p>
<div>
<p class=3D"">On Wed, Feb 6, 2013 at 7:05 PM, Todd Chapman <<a href=3D"m=
ailto:tachapman@ucdavis.edu" target=3D"_blank">tachapman@ucdavis.edu</a>>=
; wrote:<u></u><u></u></p>
<div>
<div>
<p class=3D"">Hello,<u></u><u></u></p>
<p class=3D"">=A0<u></u><u></u></p>
<p class=3D"">We are running into IP space limitations here and are conside=
ring using NAT for the student housing network. We have a Procera PL8820 ha=
ndling the bandwidth enforcement duties.
My question is, has anyone out there done this with a similar setup, and i=
f so are there any =91gotcha=92 issues to be aware of?<u></u><u></u></p>
<p class=3D"">=A0<u></u><u></u></p>
<p class=3D"">Thanks,<u></u><u></u></p>
<p class=3D"">Todd Chapman<u></u><u></u></p>
<p class=3D"">UC Davis<u></u><u></u></p>
</div>
</div>
<p class=3D"">___________________________________________________ You are s=
ubscribed to the ResNet-L mailing list.
<u></u><u></u></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<u></u><u></u></p>
</div>
<p class=3D""><u></u>=A0<u></u></p>
</div>
<p class=3D"">___________________________________________________ You are s=
ubscribed to the ResNet-L mailing list.
<u></u><u></u></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<u></u><u></u></p>
</div>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></blockquote></div><br></div></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--0016e68ee146a71a7204d576da80--
