Does anyone know where there are some pointers on using the 11.2 NAT stuff with Cisco? Also if it works worth anything? I've been searching cio for some info, but so far no examples... Also, does it work with 2501? Specifically I am working on setting up part of my BGP space with very small IP blocks for customers but with a NAT on the front end (if it works worth anything) so that I don't have to play the "I need more address space" game with customers. Also the problems associated with customers changing IP providers is starting to go up as well... Marcos ''' (o o) -oOO--(_)--OOo--------------------------------mdella @ cstone.com----- Marcos R. Della http://www.cstone.com/~mdella
Does anyone know where there are some pointers on using the 11.2 NAT stuff with Cisco? Also if it works worth anything? I've been searching cio for some info, but so far no examples...
Also, does it work with 2501? Specifically I am working on setting up part of my BGP space with very small IP blocks for customers but with a NAT on the front end (if it works worth anything) so that I don't have to play the "I need more address space" game with customers. Also the problems associated with customers changing IP providers is starting to go up as well...
A 2501 can do it but you need the IP+ IOS that lists for $700 more that the plain $1200 IP license. (You can buy a whole NAT capable router elsewhere for that - RAD, Proteon, etc. Cisco's NAT really wants to 'NAT' everything on some interface and I was warned NOT to try running non-NATted secondary subnets on the same ethernet. Perhaps you could have frame relay subinterfaces for NAT customers running NAT at a central site. I have been running NAT at the 16xx/2501 at the customer site. Use a /27, /28, or /29 for them, STATIC allocate a few NAT translations for their servers, and chuck all the rest into pool you run in OVERLAOD mode for all their random hosts to use. The 1601's IP license is $600 and IP+ for NAT is $1000 (traditional direct list vs -PRO pricing via distribution which totals about the same but gets confusing in the middle). The new 1605 has DUAL etherent, has 8 rather than 2 meg soldered in, and so still leaves all of a 16 meg DRAM simm untouched if running -mz images from DRAM. Curiously, unlike the memory-access challenged 2501, the 16xx family wins a 35% speed boost running fron DRAM. ONly the 1605 ships with te -mz image, but ANY 16xx can load and decompress that image into DRAM, and run. And a 1605's 2nd ethernet would allow NAT and normal nets at a site. Also notice Bay's NetGear's new $339 street price ISDN **ROUTER** (yes a real router to ETHERNET), that ***INCLUDES*** NAT! A product manager allowed as how a serial port might be less $s than their BRI version, and this was just the first of a family. Unlimited NATted hosts, i.e. no 'games' their competition plays. Buy a cisco 36xx with dual PRIs and let them dial in! if your users don't pay message units or if you can get flatrated Centrex like service... Of course buy your telco PRIs from a friendly ISP turned C-LEC :-)
Marcos Della wrote:
Does anyone know where there are some pointers on using the 11.2 NAT
I've installed it for going on 6 sites now. There are a couple of quirks on the 1600 (bug) and 2500, but for the most part it works pretty well. We cutover one site with 250 workstations and 30 remotes sites from one internet provider to another in 5 minutes. I've had zero problems with NAT on the 3600 and 4500 series. One possible design flaw is that it translates DNS queries (packet payload), but not zone transfers. This presents a problem if you have primary DNS server inside and secondary outside. I think this is scheduled to be fixed. Cisco had a few tips for me on a quirky problem... 1. Use a normal access-list (nonextended) for the NAT list. 2. For small sites, overload a single public address rather than many. 3. Don't put a internal, publically addressable network as "outside" if you don't have to. 4. For right now, avoid using any statically mapped addresses for surfing the net if you can. There is a bug where a statically mapped address will also grab a pool address for outgoing connections and then problems will crop up when both are being used. I can include some sample configs privately through email if anyone wants. allan -- Allan Chong allan@alum.mit.edu Dad, what causes wind? Trees sneezing. Really? No, but the truth is more complicated. --Calvin and Hobbes
participants (3)
-
Allan Chong -
barton@cent.net -
Marcos Della