[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and NAT

Quoting Derick Siddoway (derick_(_at_)_panther_(_dot_)_bitflood_(_dot_)_net):
> Quick question.  Let's say I have the following setup:
> Internet <--> RouterA + NAT for 192.168.1.x <--> RouterB + NAT for 10.x.x.x
> Now, I don't think that you can have nat on routers two deep like
> this, but I'm looking for confirmation.

It works fine.   Our labs used 10/8 addresses, our regular
network had another NAT address.  We regulary used ftp
and http from the lab to the Internet just like this.

There were ugly ways to open a connection back IN
(we needed a vendor to hit RouterA on a certain
port and end up on a 10.x.x.x address on port 443),
but it was a pain in the tushy.

Recall though, that NAT came about as a hack to deal
with two things:
- IPv4 address space exhaustion
- Routing table sizes:
  Shown by the refusal of backbones to route 24 bit networks.
  In 1993, we had a full feed of something like 24,000 routes.  This
  stressed routed on our 64MB, 25MHz machine.  Currently, there
  are, IIRC, something like 45k routes.  Without NAT, we expected
  45k routes by 1995.
- NAT is now seen as a poor man's firewall.  I guess it's like
  not putting your address on your house.  Maintaining state makes
  it less meaningless than it has been, but it also stops
  current IPSec and several other things that keep address within
  packet data.
- NAT was also a convenient way to handle corporate mergers.
  Two companies happen to use 10/8.  You can spend a forever
  getting them into unique spaces, or you can do a double
  NAT box like this, to mitigate some of the issues, WITHIN
  REASONABLE limits (20k concurrent connections is a bitch
  for any stack).

And what, you can't move to IPv6 inside and a FAITH gateway? :)

Visit your host, monkey.org