On Fri, 22 Dec 2000 16:55:48 +0100, TOMSON ERIC <[EMAIL PROTECTED]> said:
> <EXAMPLE 1> I have a CATV connection at home. I get only 1 dynamic
> public IP address. However, I have a small internal network (some
> couple of computers). How can I guarantee a full Internet access to
> each one of these computers? => By installing W2K A.S. with NAT on a PC
> having 2 NICs (1 NIC connected to the CATV modem, 1 NIC connected to a
> switch), allowing a full transparent Internet access to an undetermined
> number of PC on my private LAN (depending on the range of private
> addresses I use). </EXAMPLE 1> >
The problem is that "full transparent" is a crock. There's RFC2993
documenting just some of the things that aren't transparent.
Hint 1: Try getting IPsec to run through there, and see how far you get...
Hint 2: Try telnet'ing *INTO* one of the boxes behind the NAT from
outside.
> <EXAMPLE 2> A company has a LAN composed of hundreds of computers and
> wants to give some limited access to the Internet, to its internal
> network. They subscribe to an ISP and ask for 10 fixed addresses. They
> install a router and configure it with NAT in such a way that any 10
> internal hosts can have concurrent connections to the Net by
> dynamically getting a temporary map between their internal address and
> one of the 10 public addresses. As soon as a PC disconnects, its mapped
> address can be assigned to someone else. </EXAMPLE 2> >
Discussed in detail in RFC2993 (in particular, section 6 talks about
the TCP TIME_WAIT state and issues related to it)...,
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
PGP signature
