About 3000 internal addresses translated to 5 or 6 public addresses. No issues as far as we know.
The ASA shows about 28000 translations as max used at present. Mearl > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of William John > Bigelow > Sent: Tuesday, December 01, 2009 8:48 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] NAT Advice > > Mearl, > > What ratio of private to public addresses do you employ? > > - Bill > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Danner, Mearl > Sent: Tuesday, December 01, 2009 9:39 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] NAT Advice > > We use very few public addresses. Mostly for our core servers. All > workstations are translated from private address spaces > (10.x.x.x,172.x.x.x) to several public addresses based on their IP > subnet range. Public IP addresses are only available to VLANS in the > datacenter. > > We like the added security of our workstations not using publicy routed > addresses. If we have one that needs a public address we can establish > a static mapping public-to-private with our ASA. > > We translate at the edge using our ASA firewall. Translations are > logged to a syslog server. We retain logs for 90 days. > > We also scripted saving a history of leases from our ISC dhcp server to > help us match inside addresses to translated addresses. > > So far we haven't found a need to get more sophisticated. > > Mearl > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[email protected]] On Behalf Of William John > > Bigelow > > Sent: Tuesday, December 01, 2009 7:41 AM > > To: [email protected] > > Subject: Re: [WIRELESS-LAN] NAT Advice > > > > Heath, > > > > The clients are currently using public IP's. As for the logging, we > > wish to be able to track all translations and perhaps hone it as > > necessary. > > > > Thanks, > > > > Bill > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[email protected]] On Behalf Of > heath.barnhart > > Sent: Monday, November 30, 2009 2:33 PM > > To: [email protected] > > Subject: Re: [WIRELESS-LAN] NAT Advice > > > > Bill, > > > > So I'm understanding correctly, you are going to be NATing within > your > > own network? Are your clients currently getting private or public > IPs? > > What level of logging are you wanting to store (informational, all > > translations, etc)? Not sure I can offer much as we are just NATing > at > > the perimeter, but these might be questions others might ask to help > > you. > > > > -- > > Heath Barnhart > > Asst. Systems and Networking Admin > > Information Systems and Services > > Washburn University > > Topeka, KS 66621 > > > > > > > > William John Bigelow wrote: > > > > > > Good morning, > > > > > > We are considering implementing NAT in our wireless network in > order > > > to conserve address space. We run a Cisco controller based WLAN and > > > need to support approximately 6000+ users. I was hoping some of you > > > could share your experiences. > > > > > > 1. Thoughts regarding the best way to store logs (space allocation > > > particularly comes to mind). > > > > > > 2. Best practices for NAT implementation (we will probably use > > Juniper > > > FW's). > > > > > > 3. Pros/Cons of natting at the controller/subnet level vs. border > > > firewall. > > > > > > 4. Issues with NAT only on the residential WLAN. > > > > > > I look forward to your replies. > > > > > > - Bill > > > > > > ********** Participation and subscription information for this > > > EDUCAUSE Constituent Group discussion list can be found at > > > http://www.educause.edu/groups/. > > > > > > > ********** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > > http://www.educause.edu/groups/. > > > > ********** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
