Re: (ASCEND) Yippie!

To: "Ken Kirchner" <kenk@shreve.net>, "Ascend users" <ascend-users@bungi.com>
Subject: Re: (ASCEND) Yippie!
From: "James Courtier-Dutton" <jcdutton@lucent.com>
Date: Wed, 3 May 2000 11:01:26 +0100
References: <Pine.LNX.4.10.10005021937140.25213-100000@mercury.shreve.net>
Reply-To: "James Courtier-Dutton" <jcdutton@lucent.com>
Sender: owner-ascend-users@max.bungi.com

Although I work for Lucent, I have never touched a Pipe or SuperPipe, but I
do know about NAT.
What the customer is trying to do is not a very popular way to do things.
1) In an ideal world, I would do the following: -
Internet -> Router -> De-militarised zone -> Class C
Internet <- Router <- NAPT <- Non-internet addresses.
For this you need a router with one uplink, and 2 ethernets.
The reason for the de-militarised zone is to add security.
You can then only allow outgoing TCP sessions on the NAT, and all incoming
connections arrive at the De-Militarised Zone.
All outgoing UDP connections are done via a transparent proxy in the
De-militarised zone.
The reason for this is that UDP NAPT is very insecure.

2) An alternative.
For all outgoing traffic, do NAPT. (Network Address and Port Translation
from the RFC terms. Not PAT from Cisco)
For all incoming traffic do 1 - to - 1 IP address mapping via NAT.

This second alternative should work, and a majority of Routers should be
able to do it.
Please note that I have no idea how the Pipes work.
Cheers
James


----- Original Message -----
From: "Ken Kirchner" <kenk@shreve.net>
To: "Ascend users" <ascend-users@bungi.com>
Sent: Wednesday, May 03, 2000 1:51 AM
Subject: (ASCEND) Yippie!


>
> After some mysterious unsubscribing, I am back! Rejoice! :)
>
> But calm yourselves, I have a problem...
>
> A customer with a SuperPipe 155 would like to do both real IP's and NAT on
> his unit.  We already route him a class C over a point-to-point T1.  That
> part is working fine.  The NAT is a recent addition and that does not seem
> to be working at all for him.  Whenever he enables NAT he loses all
> connectivity, even on his real IP's.
>
> So he calls up Lucent (at $3 a minute or so) and the tech tells him that
> it's not possible with his current firmware, so he gives him rev 7.4.8
> which supposedly allows this feature.  They still cant get it to work. The
> customer then 3-ways the tech and myself to get things straightened out.
> They explain the situation and it doesnt sound complicated to me.  I could
> configure a Cisco 2500 to do this no sweat, but I am not up on my
> Pipelines.  Anyway, the tech starts explaining to me how NAT works.  It
> doesnt sound at all like I think NAT works, but I havent read the RFC so I
> dont know for sure.  What he describes to me sounds more like DHCP, so I
> think he's clueless.  He starts asking me how we authenticate.  I try to
> explain to him that this is a point-to-point nailed up T1 and that there
> is no authentication, but he doesnt buy it.  He says unless we have some
> way to authenticate this customer's pipeline he wont be able to use NAT.
>
> This sounds like complete BS, but I thought I'd ask here and go read the
> RFC before I declare anyone stupid.
>
> The customer wants to do NAT on his SuperPipe over a T1 while still doing
> real IP traffic for his class C space.  Can this be done?  How do we do
> it?  How do I specify the IP or pool of IP's the superpipe is to use for
> the masquerading?  Is the NAT feature limited to dial-up configs only?
>
> -Ken
>
> ++ Ascend Users Mailing List ++
> To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd: <http://www.nealis.net/ascend/faq>

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:
- (ASCEND) Yippie!
  - From: Ken Kirchner <kenk@shreve.net>

Prev by Date: Re: (ASCEND) Yippie!
Next by Date: Re: (ASCEND) Unresolved bad unit
Prev by thread: Re: (ASCEND) Yippie!
Next by thread: (ASCEND) Unresolved bad unit
Index(es):
- Date
- Thread