We tested NAT on cisco firewall module, and found that outside can not initiate connections to inside, which mean P2P/file share by MSN/Remote Desktop all broken. So for people who already doing NAT, how you solve this issue? thanks.
On Fri, Jul 4, 2008 at 2:04 PM, Ken Connell <[EMAIL PROTECTED]> wrote: > Stan... > > Since "we've" touched on Aruba and Syslog....I have a question... > > We too are an Aruba shop, and do push info to a syslog server. In previous > code 2.x, as you mentioned, an authentication log would include username, > mac, IP, and AP....but since we've upgraded to 3.x, it seems the username > and mac/IP have been separated and are no longer tied together. I do get > username authentications, and mac/IP info, but I have no way of tying them > together... > > What ver code are you running and/or do you have the same issue ? > > > > Ken Connell > Intermediate Network Engineer > Computer & Communication Services > Ryerson University > 350 Victoria St > RM AB50 > Toronto, Ont > M5B 2K3 > 416-979-5000 x6709 > > ----- Original Message ----- > From: "Brooks, Stan" <[EMAIL PROTECTED]> > Date: Thursday, July 3, 2008 5:39 pm > Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks > To: [email protected] > > > > Greg, > > > > Depending on the code version, you can set the logging levels to > > capture user associations and authentications to a syslog server. The > > data logged includes the location name/group of the AP the user > > connected to, the SSID, along with the user's MAC, IP and user ID. > > > > >>-> Stan Brooks - CWNA/CWSP > > Emory University > > Network Communications Division > > 404.727.0226 > > AIM/Y!/Twitter: WLANstan > > MSN: [EMAIL PROTECTED] > > GoogleTalk: [EMAIL PROTECTED] > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[EMAIL PROTECTED] On Behalf Of Scholz, Greg > > Sent: Thursday, July 03, 2008 8:55 AM > > To: [email protected] > > Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks > > > > Stan, > > Can you tell me what type of location information you get and from what > > log? "802.1x/WPA-Enterprise, so we have usernames and locations in our > > logs" > > > > We are trying to figure out if there is a way to determine what APs user > > are/have been on but all we have seen in the radius logs is the > > controller as the NAS. > > > > > > Thanks, > > Greg > > > > > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan > > Sent: Wednesday, July 02, 2008 6:34 PM > > To: [email protected] > > Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks > > > > Mike, > > > > We, too, are an Aruba shop, and have been doing NAT on our academic and > > ResNet wireless networks for about a year now. Two years ago, we ran > > out of IP addresses on our wireless network on Move-In Weekend and had > > to scramble to add additional subnets - a scarce commodity here at > > Emory. To prevent that from happening last year, we implemented NAT > > for > > our wireless clients and now have plenty of address space for our > > growing user base. > > > > We let the Aruba controllers perform the NAT function (very easy to set > > up - just a firewall rule in the user role in the Aruba config). We've > > not had any complaints from users regarding NAT issues; we were > > concerned that it might break some apps, but no problems have been > > observed or reported. We've even got our homegrown NAC (NetReg/CAT) > > working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but > > all other traffic is. This all works great, thanks to the Aruba > > capabilities. > > > > The only issue we've had with NAT have been voiced by Philippe - DCMA > > notices are hard to isolate. Our wired network has some protection in > > place to identify and reduce peer-to-peer traffic (Tipping Points), so > > we don't generally get a lot of notices. User tracking and RF location > > still works well as those are functions of the radio and authentication > > subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so > > we have usernames and locations in our logs. Connecting those usernames > > to the NAT pool IP addresses is the hard part. > > > > I'd be happy to share some basic configuration tips and tricks regarding > > NAT with you off-list, or on-list if other s are interested. > > > > BTW - We've been NAT'ing our guest access users since day one on the > > Aruba equipment. Guests "log in" through the captive portal and are > > given limited access - bandwidth limited web access and VPN access back > > to their home organizations. > > > > >>-> Stan Brooks - CWNA/CWSP > > Emory University > > Network Communications Division > > 404.727.0226 > > AIM/Y!/Twitter: WLANstan > > MSN: [EMAIL PROTECTED] > > GoogleTalk: [EMAIL PROTECTED] > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[EMAIL PROTECTED] On Behalf Of Michael > Dickson > > Sent: Tuesday, July 01, 2008 9:47 AM > > To: [email protected] > > Subject: [WIRELESS-LAN] NAT in large scale wireless networks > > > > Though we currently have enough available routed IP space for our > > wireless clients we are looking toward the future and wondering if > > NAT-ing the wireless network makes sense. > > > > Does anyone have any experiences, good or bad, using NAT for the > > wireless client pool in a large scale environment? What features "go > > away" (i.e. RFID or user tracking, etc.) Are there any gotchas? > > > > We're an Aruba shop and expect about 3000+ wireless clients this > > semester and have been adding more APs by the week. > > > > Thanks, > > Mike > > > > *************************************************************** > > Michael Dickson Phone: 413-545-9639 > > Network Analyst [EMAIL PROTECTED] > > University of Massachusetts > > Network Systems and Services > > *************************************************************** > > > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found at http://www.educause.edu/groups/. > > > > This e-mail message (including any attachments) is for the sole use of > > the intended recipient(s) and may contain confidential and privileged > > information. If the reader of this message is not the intended > > recipient, you are hereby notified that any dissemination, distribution > > or copying of this message (including any attachments) is strictly > > prohibited. > > > > If you have received this message in error, please contact > > the sender by reply e-mail message and destroy all copies of the > > original message (including attachments). > > > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > This e-mail message (including any attachments) is for the sole use of > > the intended recipient(s) and may contain confidential and privileged > > information. If the reader of this message is not the intended > > recipient, you are hereby notified that any dissemination, distribution > > or copying of this message (including any attachments) is strictly > > prohibited. > > > > If you have received this message in error, please contact > > the sender by reply e-mail message and destroy all copies of the > > original message (including attachments). > > > > ********** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > -- David Wang, Networking Services, CCS www.uoguelph.ca 519-824-4120 x52046 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
