Mearl, What ratio of private to public addresses do you employ?
- Bill -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Danner, Mearl Sent: Tuesday, December 01, 2009 9:39 AM To: [email protected] Subject: Re: [WIRELESS-LAN] NAT Advice We use very few public addresses. Mostly for our core servers. All workstations are translated from private address spaces (10.x.x.x,172.x.x.x) to several public addresses based on their IP subnet range. Public IP addresses are only available to VLANS in the datacenter. We like the added security of our workstations not using publicy routed addresses. If we have one that needs a public address we can establish a static mapping public-to-private with our ASA. We translate at the edge using our ASA firewall. Translations are logged to a syslog server. We retain logs for 90 days. We also scripted saving a history of leases from our ISC dhcp server to help us match inside addresses to translated addresses. So far we haven't found a need to get more sophisticated. Mearl > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of William John > Bigelow > Sent: Tuesday, December 01, 2009 7:41 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] NAT Advice > > Heath, > > The clients are currently using public IP's. As for the logging, we > wish to be able to track all translations and perhaps hone it as > necessary. > > Thanks, > > Bill > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of heath.barnhart > Sent: Monday, November 30, 2009 2:33 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] NAT Advice > > Bill, > > So I'm understanding correctly, you are going to be NATing within your > own network? Are your clients currently getting private or public IPs? > What level of logging are you wanting to store (informational, all > translations, etc)? Not sure I can offer much as we are just NATing at > the perimeter, but these might be questions others might ask to help > you. > > -- > Heath Barnhart > Asst. Systems and Networking Admin > Information Systems and Services > Washburn University > Topeka, KS 66621 > > > > William John Bigelow wrote: > > > > Good morning, > > > > We are considering implementing NAT in our wireless network in order > > to conserve address space. We run a Cisco controller based WLAN and > > need to support approximately 6000+ users. I was hoping some of you > > could share your experiences. > > > > 1. Thoughts regarding the best way to store logs (space allocation > > particularly comes to mind). > > > > 2. Best practices for NAT implementation (we will probably use > Juniper > > FW's). > > > > 3. Pros/Cons of natting at the controller/subnet level vs. border > > firewall. > > > > 4. Issues with NAT only on the residential WLAN. > > > > I look forward to your replies. > > > > - Bill > > > > ********** Participation and subscription information for this > > EDUCAUSE Constituent Group discussion list can be found at > > http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
