1:1 NAT doesn't necessarily mean the connection is bi-directional, but I agree with what your question implies. I'd rather deal with the public addresses at the firewall rather than the public+NAT'd addresses (especially in a Zero Trust Network model). It also removes the need for internal vs external DNS (except, maybe, to hide system names). I don't guarantee a 1:1 NAT, but we try to keep that ratio very low for troubleshooting/tracing/identification purposes .. except for gaming consoles. For those, I'd recommend a 1:1 or just dole out public addresses!
-Brian ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Chuck Anderson [[email protected]] Sent: Monday, February 23, 2015 3:13 PM To: [email protected] Subject: Re: [WIRELESS-LAN] NAT tracking question If you have 1 public IP address reserved for each individual user, why do you need to do NAT at all? This is a serious question--if you aren't saving public IPs by doing 1:many NAT, why do NAT at all? Thanks. On Mon, Feb 23, 2015 at 11:33:45AM -0500, Norman Elton wrote: > We play tricks with our ISC DHCP server and a pair of F5 LTMs (similar > to the A10 gear). The DHCP server hands out predetermined private IP > addresses to devices as soon as we determine ownership (through our > NAC). For outbound traffic, the F5 uses this private IP address to NAT > to a public IP address that is reserved for the individual user. The > end result is that no matter where the device is on campus, we know > that 128.239.x.y is something owned by Joe Smith. If we need to know > exactly which device, we consult our flow logs. But at least we're 99% > confident we're dealing with the right student. > > I'm happy to share the gory details if someone wants to wrap their > head around it. > > Norman Elton > College of William & Mary > > > > On Mon, Feb 23, 2015 at 10:30 AM, Danny Eaton <[email protected]> wrote: > > We've got our Juniper SRX 5800 doing our NAT for all wireless, plus all > > students and visitors (wired or wireless). > > > > We send those logs (and the SRX is VERY CHATTY about NAT) to our Splunk > > server for the tying together of date/time, public IP and private IP - in > > the event we get a notice from some TLA. > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[email protected]] On Behalf Of Heath Barnhart > > Sent: Monday, February 23, 2015 9:12 AM > > To: [email protected] > > Subject: Re: [WIRELESS-LAN] NAT tracking question > > > > We use a Sonicwall E8500 for NAT, it will log all NAT translations and send > > them as syslog to a server for storage. I have logrotate changing files > > every hour to make it easier to search on. > > -- > > Heath Barnhart > > ITS Network Administrator > > Washburn University > > Topeka, KS > > > > > > On Wed, 2015-01-14 at 14:49 -0500, Jerry Bucklaew wrote: > >> To ALL: > >> > >> We have a large Cisco wireless deployment with public ip address > >> space. Getting more public IP's is getting difficult so we are > >> considering going to NAT. The issue we have with NAT is that we still > >> want to be able to map an outside IP back to a individual user. Once > >> you go to NAT that of course becomes more difficult to do. I know a > >> lot of you are probably already doing this and I was wondering how and > >> what products do you use? I assume most have a one to many NAT and then > >> use something like a netflow collector to to track the inside NAT IP to > >> the outside Src-IP/DST-IP/Port/Time. Any good working solutions or > >> products would be helpful. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
