Re: [fw-wiz] Nat Limitations?

Yes, I've already considered pushing the NAT closer to the edge. However,
it appears that the machine we planned to use doesn't do nat - number of
cisco 4 k's.


On Tue, 9 Oct 2007, Darden, Patrick S. wrote:

From what you have said, I am guessing you want to do this:

res hall 1 res hall 2 res hall 3....
| | |
\ | /
huge central fwsm

I am guessing you want to segment each res hall off using a single
inclusive VLAN, then NAT it in a central switch or router. I think
you should reconsider. Instead of NATing centrally, why not NAT on
the edge? You can use multiple VLANs, one per res hall, and multiple

End result--further segmentation for better security, reduced load
on your central switch or router (save the CPU for BGP and/or
ACLs--and raw speed!)

Individual concerns:

1. concurrent translations limitation. Not a problem with the above.
2. I weep for the RIAA. You don't have to help them. You just have
to act in accordance with applicable laws. If they give you one of
their John Doe warrants with a single IP address that they claim
corresponds to one person, you can tell them to be more specific due
to NAT. The burden lies on them.
3. The above topography would work better for rate limiting. Less
people would be affected by one or two bandwidth hawgs.
4. Certain applications might well break. NAT tends to break UDP
apps more than TCP. It also tends to interfere with servers. Your
students will not be able to run servers as easily, except inside
the residence halls.

You might want to do this to one residence hall first to test it.
There is no substitute for real-world testing--who knows what
bizarre effects might occur.

One problem you might not have considered is the move to IPv6. You
should NOT invest this much time and effort into such a huge
NAT infrastructure if you plan to move to IPv6 in the next 4 years.


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of
Sent: Tuesday, October 09, 2007 9:03 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Nat Limitations?


I'm interested in hearing some thoughts on a topology I'm considering in
pursuing. On a mid sized college campus, we have the funding to
physically segment the residence halls from the rest of the campus
network. This is a huge win from a security perspective among other
things. We've also begun using a separate provider for bandwidth. A
long-term goal would be to hand the management of these buildings off to a
company who can maintain it to reduce our headaches.

So, in building it we want to make it as portable as possible. As such,
NAT comes to mind so we don't have to re-number it if a different provider
takes it. It also has a number of other advantages which I'm sure are
well known.

The problem is that I'm concerned about the number of translations that
will happen in these buildings. Currently this part of the network is
allocated a /19 and we estimate there are just over 4,000 residents.

I see some of the pitfalls being:

* The cisco FWSM is limited to 256K concurrent translations. That's only
64 per user. Bit-torrent is likely to slaughter that.

* It's harder to handle RIAA complaints since everything comes from a
different public address.

* Rate limiting (packet shaping) is currently done at the ISP for these
buildings. We'll have to move that inside (more $$) or do protocol
shaping instead of by IP address.

* Certain applications may break, etc.

So my question is:

Has anyone tried to NAT this many of a certain type of user?


Do the benefits outweight the caveats?

Jason Mishka - "I'm like a Subway in a land of McDonalds..."

firewall-wizards mailing list
firewall-wizards mailing list

firewall-wizards mailing list