Re: [fw-wiz] NAPT - NAT Port selection

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 08/22/04

Next message: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"

Previous message: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
In reply to: ravivsn_at_www.rocsys.com: "[fw-wiz] NAPT - NAT Port selection"
Next in thread: Harald Welte: "Re: [fw-wiz] NAPT - NAT Port selection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Sun, 22 Aug 2004 20:58:05 +0530

On 20/08/04 09:05 +0530, ravivsn@www.rocsys.com wrote:
> Hi,
> NAPT devices allow access to internet by internal machines having
> private IP addresses using one or more public IP addresses.
>
> We are vendors of security devices and these have NAPT feature
> and we allow upto 63K TCP connections from internal machines at any
> time. 63K limit comes from number of unique source ports that can be
> assigned as NAT ports.
>
> Our customer, who is one of small ISPs, wanted to use these devices. This
> ISP gives private IP addresses to their customers and using NAPT provides

Ewwww. Public IP space is cheap. Private IP space is for end users, not
ISPs.

> internet access to its customers. The ISP has limited number of public IP
> addresses and it wants us to increase the number of TCP connection for each
> public IP address to go from 63K to very high number.

If they have that many customers, they can surely justify getting more
public IP space.

<snip>
> - Is it good for NAPT device to use same NAT port for different
> sessions, if they are going to different destination (based on
> Destination IP and Port)? Do you see any problems associated with
> this apart one mentioned above?

Not really. All that is necessary to identify the connection uniquely is
that the combination of (source port, source ip, destination port,
destination ip and protocol) be unique.

You may run into implementation issues, tracking all these connections.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"

Previous message: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
In reply to: ravivsn_at_www.rocsys.com: "[fw-wiz] NAPT - NAT Port selection"
Next in thread: Harald Welte: "Re: [fw-wiz] NAPT - NAT Port selection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]