[rbak-nsp] NAT & SOHO Routes - problem
Denis Mikhaylovskiy
denis.mikhaylovskiy at ericsson.com
Fri Oct 22 01:34:22 EDT 2010
Hi Michal
How many subscribers go through SE NAT in your setup?
In general based on your config I see at least three potential issues
1. You are using /31 in nat pool, this means that at some point subscriber's session can be NATed through two addresses at the same time going to same destination address (especially this problem related to web portals which requires re/authentication).
2. Some sessions will be NATed using low range (well known) TCP/UDP ports. Many resources in internet do not allow such connections due to security reasons.
3. I'm pretty sure that many of your subscribers are currently complaining about troubles in gaming, public voip, multimedia, etc. Because you didn't enabled independent endpoint filtering for udp in the policy.
I would recommend redesigning your nat pool like this
!
ip nat pool NAT_pool-1 napt multibind
address 83.142.193.192/32 port-block 1 to 15
!
ip nat pool NAT_pool-2 napt multibind
address 83.142.193.193/32 port-block 1 to 15
!
You should also redesign your nat policy; in general you have two ways how to do it
a) like this
!
nat policy NAT_policy-1
! Default class
pool NAT_pool-1 BRAS
timeout tcp 18000
endpoint-independent filtering udp
!
nat policy NAT_policy-2
! Default class
pool NAT_pool-2 BRAS
timeout tcp 18000
endpoint-independent filtering udp
!
In this case you could dynamically return from radius nat policy names
b) or like this
!
nat policy NAT_policy
! Default class
ignore
! Named classes
access-group NAT-acl
class CLASS1
pool NAT_pool-1 BRAS
timeout tcp 18000
endpoint-independent filtering udp
class CLASS2
pool NAT_pool-2 BRAS
timeout tcp 18000
endpoint-independent filtering udp
!
In this case you have one policy, but you need to define classes by NAT-acl and distribute you subscribers across theses classes.
/denis
________________________________
From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Michal Korzeniowski
Sent: Thursday, October 21, 2010 4:16 PM
To: redback-nsp at puck.nether.net
Subject: [rbak-nsp] NAT & SOHO Routes - problem
Hello.
Recently I was fighting with the
configuration of
NAT and with your help I succeeded.
At the moment I have a problem
with customers who have
SOHO routers.
Customers complain that
web pages are slow to open, and often to open the page they need to refresh it.
When the same router is
connected tio the
public network (without NAT) problem
disappears.
Thank You
for any suggestion!
my config:
context BRAS
!
no ip domain-lookup
!
ip nat pool NAT_pool
napt multibind
address
83.142.193.192/31
!
nat policy NAT_policy
! Default
class
pool
NAT_pool BRAS
!
interface LAN
multibind
description BRAS LAN GW
ip address
10.10.8.1/24
ip address 83.142.197.1/24 secondary
dhcp server
interface
ip arp proxy-arp
!
interface WAN
ip address 83.142.192.100/29
no logging console
!
aaa authentication
administrator local
aaa authentication administrator
maximum sessions 1
aaa authentication subscriber radius global
!
!
subscriber default
dhcp
max-addrs 1
!
ip route 0.0.0.0/0 83.142.192.102
no service ssh
server
!
dhcp server policy
nak-on-subnet-deletion
option subnet-mask
255.255.255.0
option domain-name-server 91.189.24.2
83.142.192.2
option domain-name mi.pl<http://mi.pl/>
offer-lease-time 300
default-lease-time 43200
maximum-lease-time 43200
subnet
10.10.8.0/24
option subnet-mask
255.255.255.0
option
router 10.10.8.1
subnet 83.142.197.0/24
option
subnet-mask 255.255.255.0
option router
83.142.197.1
!
port ethernet 2/1
no shutdown
encapsulation
dot1q
dot1q pvc 2000 encapsulation multi
bind
interface WAN BRAS
!
port ethernet 2/2
no
shutdown
encapsulation dot1q
dot1q pvc 10
encapsulation multi
service clips dhcp context BRAS
MK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20101022/1ba451cc/attachment.html>
More information about the redback-nsp
mailing list