[rbak-nsp] NAT & SOHO Routes - problem

Denis Mikhaylovskiy denis.mikhaylovskiy at ericsson.com
Fri Oct 22 01:34:22 EDT 2010


Hi Michal

How many subscribers go through SE NAT in your setup?
In general based on your config I see at least three potential issues

 1.  You are using /31 in nat pool, this means that at some point subscriber's session can be NATed through two addresses at the same time going to same destination address (especially this problem  related to web portals which requires re/authentication).
 2.  Some sessions will be NATed using low range (well known) TCP/UDP ports. Many resources in internet do not allow such connections due to security reasons.
 3.  I'm pretty sure that many of your subscribers are currently complaining about troubles in gaming, public voip, multimedia, etc. Because you didn't enabled independent endpoint filtering for udp in the policy.

I would recommend redesigning your nat pool like this
!
 ip nat pool NAT_pool-1 napt multibind
  address 83.142.193.192/32 port-block 1 to 15
!
ip nat pool NAT_pool-2 napt multibind
  address 83.142.193.193/32 port-block 1 to 15
!

You should also redesign your nat policy; in general you have two ways how to do it

a)       like this
!
 nat policy NAT_policy-1
! Default class
  pool NAT_pool-1 BRAS
  timeout tcp 18000
  endpoint-independent filtering udp
!
 nat policy NAT_policy-2
! Default class
  pool NAT_pool-2 BRAS
  timeout tcp 18000
  endpoint-independent filtering udp
!
In this case you could dynamically return from radius nat policy names


b)      or like this
!
 nat policy NAT_policy
! Default class
  ignore
! Named classes
  access-group NAT-acl
   class CLASS1
    pool NAT_pool-1 BRAS
    timeout tcp 18000
    endpoint-independent filtering udp
   class CLASS2
    pool NAT_pool-2 BRAS
    timeout tcp 18000
    endpoint-independent filtering udp
!
In this case you have one policy, but you need to define classes by NAT-acl and distribute you subscribers across theses classes.



/denis
________________________________
From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Michal Korzeniowski
Sent: Thursday, October 21, 2010 4:16 PM
To: redback-nsp at puck.nether.net
Subject: [rbak-nsp] NAT & SOHO Routes - problem


Hello.
Recently I was fighting with the
configuration of
NAT and with your help I succeeded.
At the moment I have a problem
with customers who have
SOHO routers.
Customers complain that
web pages are slow to open, and often to open the page they need to refresh it.
When the same router is
connected  tio the
public network (without NAT) problem
disappears.

Thank You
for any suggestion!
my config:


context BRAS
!

 no ip domain-lookup
!
 ip nat pool NAT_pool
napt multibind
  address
83.142.193.192/31
!
 nat policy NAT_policy
! Default
class
  pool
NAT_pool BRAS
!
 interface LAN
multibind

description BRAS LAN GW
  ip address
10.10.8.1/24
  ip address 83.142.197.1/24 secondary

dhcp server
interface
  ip arp proxy-arp
!
 interface WAN
  ip address 83.142.192.100/29
 no logging console
!
 aaa authentication
administrator local
 aaa authentication administrator
maximum sessions 1
 aaa authentication subscriber radius global

!
!
 subscriber default
   dhcp
max-addrs 1
!
 ip route 0.0.0.0/0 83.142.192.102
 no service ssh
server
!
 dhcp server policy

nak-on-subnet-deletion
   option subnet-mask
255.255.255.0
   option domain-name-server 91.189.24.2
83.142.192.2
   option domain-name mi.pl<http://mi.pl/>

offer-lease-time 300

default-lease-time 43200
   maximum-lease-time 43200
   subnet
10.10.8.0/24

option subnet-mask
255.255.255.0
     option
router 10.10.8.1
   subnet 83.142.197.0/24
     option
subnet-mask 255.255.255.0
     option router
83.142.197.1
!
port ethernet 2/1
 no shutdown
 encapsulation
dot1q
 dot1q pvc 2000 encapsulation multi

  bind
interface WAN BRAS
!
port ethernet 2/2
 no
shutdown
 encapsulation dot1q
 dot1q pvc 10
encapsulation multi
  service clips dhcp context BRAS





MK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20101022/1ba451cc/attachment.html>


More information about the redback-nsp mailing list