Operational Use of a Multihomed NAT

Ed Kern

Table of Contents

• Slides from this Talk
• Stan Barber's Notes
• February 1998 NANOG Home Page

Stan Barber's Notes

RFC 1631 outlines what a NAT is.

In this presentation, Cisco technology is used. Inside/Outside local/global addresses.

Creating translation entries

Static and Dynamic

• Intercept DNS replies
• Change the source address

Benefits

• Lessnes the need for additional globally routable address space for internal hosts
• Easily renumbering when changing ISPs
• Multi-homing
  • Two differnet service providers
  • Address space from multiple providers

  Benefits of multi-homing with a NAP

• RFC 2260

  DNS

• All authoratative name servers must be behind a NAP

• Root points at the inside global space

Cisco IOS 11.2.X (ISP image or IP Plus

Cisco Router 3640 with 64Mb

Two authorative name servers inside

Address space from both ISPs

This has worked with 70 concurrent incoming transtions, many applications and many rules.

Applications that have not been tested: Kerberos V5 and multicast

Contact delgadil@cisco.com about adding knowledge of other applications to the nat software.

IPSPEC will never work.

Kerberos V4 will never work

SNMP will never work

Mobile IP will probably never work.

More stuff needs to be tested.

Pps and number of concurrent translations and/or sessions is a real problem.

There is a real desire to try to get this to work with multiple ISPs.

Contact mad-natter@digex.net if you want to test a specific application though a NAT.

Online information is available at www.digix.org/nat-info.html

Questions & Answers

Have you done any detailed analysis for the outside global address pool?

No. We basically leave it to the customer. We don't do a lot with overloading.

Sue Hares: All the connections to the NATed hosts are available when just one of the NSP connections is up. Isn't that true without NAT?

Yes. This does not break that.

Bill Woodcock: What about DNS load balances?

We have not tested that.

Someone askes: What is the number of sessions at which things break?

No, we don't know that yet. These are influences by memory and CPU.

Someone asks: What happens to a TCP connection when a link fails?

It won't fail since it will fall back to the tunnel.

David Power from Insync asks: What about using dedicated boxes instead doing it in the router?

We have looked at that, but that's not what we tried here.

Michael: SNMP will work if translation is not required.

We agree.

What about the case where boxes on the same network,but are being "connected" by an exteneral machine (say for a chat session). They end up with gloabally routeable endpoints and may not be able to talk to each other because they don't have valid addresses for the network they are actually on and the NAT won't route that.

We agree.