<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:353461894;
mso-list-type:hybrid;
mso-list-template-ids:-1979812580 -1399417308 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-number-format:alpha-lower;
mso-level-text:"%1\)";
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1759868843;
mso-list-type:hybrid;
mso-list-template-ids:31721496 1719327840 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-number-format:alpha-lower;
mso-level-text:"%1\)";
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:1819224490;
mso-list-type:hybrid;
mso-list-template-ids:-836757332 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue style='word-wrap: break-word;-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Michal<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>How many subscribers go through SE NAT in
your setup?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>In general based on your config I see at
least three potential issues<o:p></o:p></span></font></p>
<ol style='margin-top:0cm' start=1 type=1>
<li class=MsoNormal style='color:navy;mso-list:l2 level1 lfo2'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>You
are using /31 in nat pool, this means that at some point subscriber’s
session can be NATed through two addresses at the same time going to same
destination address (especially this problem related to web portals
which requires re/authentication).<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l2 level1 lfo2'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>Some
sessions will be NATed using low range (well known) TCP/UDP ports. Many resources
in internet do not allow such connections due to security reasons.<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l2 level1 lfo2'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>I’m
pretty sure that many of your subscribers are currently complaining about troubles
in gaming, public voip, multimedia, etc. Because you didn’t enabled independent
endpoint filtering for udp in the policy.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I would recommend redesigning your nat pool
like this<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> ip nat pool NAT_pool-1 napt
multibind<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> address 83.142.193.192/32 port-block
1 to 15<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>ip nat pool NAT_pool-2 napt multibind<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> address 83.142.193.193/32 port-block
1 to 15<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>You should also redesign your nat policy;
in general you have two ways how to do it <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo3'><![if !supportLists]><font
size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'><span style='mso-list:Ignore'>a)<font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'> </span></font></span></span></font><![endif]><font
size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'>like this<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> nat policy NAT_policy-1<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>! Default class<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> pool NAT_pool-1 BRAS<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> timeout tcp 18000<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> endpoint-independent filtering udp<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> nat policy NAT_policy-2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>! Default class<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> pool NAT_pool-2 BRAS<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> timeout tcp 18000<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> endpoint-independent filtering udp<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>In this case you could dynamically return
from radius nat policy names<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo3'><![if !supportLists]><font
size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'><span style='mso-list:Ignore'>b)<font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'> </span></font></span></span></font><![endif]><font
size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'>or like this<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> nat policy NAT_policy<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>! Default class<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> ignore<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>! Named classes<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> access-group NAT-acl<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> class CLASS1<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> pool NAT_pool-1 BRAS<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> timeout tcp 18000<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> endpoint-independent
filtering udp<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> class CLASS2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> pool NAT_pool-2 BRAS<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> timeout tcp 18000<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> endpoint-independent
filtering udp<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>In this case you have one policy, but you
need to define classes by NAT-acl and distribute you subscribers across theses classes.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>/denis<o:p></o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
redback-nsp-bounces@puck.nether.net
[mailto:redback-nsp-bounces@puck.nether.net] <b><span style='font-weight:bold'>On
Behalf Of </span></b><st1:PersonName w:st="on">Michal Korzeniowski</st1:PersonName><br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, October 21, 2010
4:16 PM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">redback-nsp@puck.nether.net</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> [rbak-nsp] NAT & SOHO
Routes - problem</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div style='word-wrap: break-word;-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div style='word-wrap: break-word;-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div>
<p class=MsoNormal><font size=4 color=black face=Helvetica><span
style='font-size:13.5pt;font-family:Helvetica;color:black'><br>
Hello.<br>
Recently I was fighting with the<br>
configuration of<br>
NAT and with your help I succeeded.<br>
At the moment I have a problem<br>
with customers who have<br>
<st1:place w:st="on">SOHO</st1:place> routers.<br>
Customers complain that<br>
web pages are slow to open, and often to open the page they need to refresh
it. <br>
When the same router is<br>
connected tio the<br>
public network (without NAT) problem<br>
disappears.<br>
<br>
Thank You<br>
for any suggestion!<br>
my config:<br>
<br>
<br>
context BRAS<br>
!<br>
<br>
no ip domain-lookup<br>
!<br>
ip nat pool NAT_pool<br>
napt multibind<br>
address<br>
83.142.193.192/31<br>
!<br>
nat policy NAT_policy<br>
! Default<br>
class<br>
pool<br>
NAT_pool BRAS<br>
!<br>
interface LAN<br>
multibind<br>
<br>
description BRAS LAN GW<br>
ip address<br>
10.10.8.1/24<br>
ip address 83.142.197.1/24 secondary<br>
<br>
dhcp server<br>
interface<br>
ip arp proxy-arp<br>
!<br>
interface WAN<br>
ip address 83.142.192.100/29<br>
no logging console<br>
!<br>
aaa authentication<br>
administrator local <br>
aaa authentication administrator<br>
maximum sessions 1<br>
aaa authentication subscriber radius global<br>
<br>
!<br>
!<br>
subscriber default<br>
dhcp<br>
max-addrs 1<br>
!<br>
ip route 0.0.0.0/0 83.142.192.102<br>
no service ssh<br>
server<br>
!<br>
dhcp server policy<br>
<br>
nak-on-subnet-deletion<br>
option subnet-mask<br>
255.255.255.0<br>
option domain-name-server 91.189.24.2<br>
83.142.192.2<br>
option domain-name <a href="http://mi.pl/">mi.pl</a><br>
<br>
offer-lease-time 300<br>
<br>
default-lease-time 43200<br>
maximum-lease-time 43200<br>
subnet<br>
10.10.8.0/24<br>
<br>
option subnet-mask<br>
255.255.255.0<br>
option<br>
router 10.10.8.1<br>
subnet 83.142.197.0/24<br>
option<br>
subnet-mask 255.255.255.0<br>
option router<br>
83.142.197.1<br>
!<br>
port ethernet 2/1 <br>
no shutdown<br>
encapsulation<br>
dot1q<br>
dot1q pvc 2000 encapsulation multi<br>
<br>
bind<br>
interface WAN BRAS<br>
!<br>
port ethernet 2/2 <br>
no<br>
shutdown<br>
encapsulation dot1q<br>
dot1q pvc 10<br>
encapsulation multi <br>
service clips dhcp context BRAS<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=4 color=black face=Helvetica><span
style='font-size:13.5pt;font-family:Helvetica;color:black'><o:p> </o:p></span></font></p>
</div>
</span>
<p class=MsoNormal><font size=4 color=black face=Helvetica><span
style='font-size:13.5pt;font-family:Helvetica;color:black'></span><br>
<br>
</span></font><o:p></o:p></p>
</div>
</span>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>MK<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>