Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > NAT or Not to NAT; how to do an Internet connection for a 100-PC company ?

Reply
Thread Tools

NAT or Not to NAT; how to do an Internet connection for a 100-PC company ?

 
 
Al Dykes
Guest
Posts: n/a
 
      10-28-2003

My company needs to get a real internet connection, there is an
immediate requirements for incomming VPN and netmeeting. Is there a
way to use a small block of addresses and NAT instead of gettting a
/25 address block ?

This is my first cisco experience, I'm looking at a 26xx router
and a PIX 501 firewall.

Thanks


--
Al Dykes
-----------
http://www.velocityreviews.com/forums/(E-Mail Removed)

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-28-2003
In article <bnmltt$995$(E-Mail Removed)>, Al Dykes <(E-Mail Removed)> wrote:
:My company needs to get a real internet connection, there is an
:immediate requirements for incomming VPN and netmeeting. Is there a
:way to use a small block of addresses and NAT instead of gettting a
:/25 address block ?

:This is my first cisco experience, I'm looking at a 26xx router
:and a PIX 501 firewall.

How much VPN do you expect to do? The 501 is only good for 10 VPN
connections. If you might need more VPN connections than that,
then the PIX 506E should be considered.

Please see my PIX model comparison list at
http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


With regards to Netmeeting, the PIX 6.2(3) release notes say,

ILS Fixup

PIX Firewall software Version 6.2 provides an Internet Locator
Service (ILS) fixup to support NAT for ILS and Lightweight
Directory Access Protocol (LDAP). Also, with the addition of this
fixup, the PIX Firewall supports H.323 session establishment by
Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active
Directory products leverage ILS, which is a directory service, to
provide registration and location of endpoints. ILS supports the
LDAP protocol and is LDAPv2 compliant.

--
I wrote a hack in microcode,
with a goto on each line,
it runs as fast as Superman,
but not quite every time! -- Dave Touretzky and Don Libes
 
Reply With Quote
 
 
 
 
Al Dykes
Guest
Posts: n/a
 
      10-28-2003
In article <bnmnnq$f0$(E-Mail Removed)>,
Walter Roberson <(E-Mail Removed)-cnrc.gc.ca> wrote:
>In article <bnmltt$995$(E-Mail Removed)>, Al Dykes <(E-Mail Removed)> wrote:
>:My company needs to get a real internet connection, there is an
>:immediate requirements for incomming VPN and netmeeting. Is there a
>:way to use a small block of addresses and NAT instead of gettting a
>:/25 address block ?
>
>:This is my first cisco experience, I'm looking at a 26xx router
>:and a PIX 501 firewall.
>
>How much VPN do you expect to do? The 501 is only good for 10 VPN
>connections. If you might need more VPN connections than that,
>then the PIX 506E should be considered.


10 is a good number.

Do I read the paragraph, below, to say that I can do incomming
netmeeting thru a NAT box to a PC with an RFC1918 address ? Assuming
the answer is yes, what else (LDAP server ?) is required ?

Thanks

>
>Please see my PIX model comparison list at
>http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt
>
>
>With regards to Netmeeting, the PIX 6.2(3) release notes say,
>
> ILS Fixup
>
> PIX Firewall software Version 6.2 provides an Internet Locator
> Service (ILS) fixup to support NAT for ILS and Lightweight
> Directory Access Protocol (LDAP). Also, with the addition of this
> fixup, the PIX Firewall supports H.323 session establishment by
> Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active
> Directory products leverage ILS, which is a directory service, to
> provide registration and location of endpoints. ILS supports the
> LDAP protocol and is LDAPv2 compliant.
>
>--
> I wrote a hack in microcode,
> with a goto on each line,
> it runs as fast as Superman,
> but not quite every time! -- Dave Touretzky and Don Libes



--
Al Dykes
-----------
(E-Mail Removed)

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-28-2003
In article <bnmot3$h2e$(E-Mail Removed)>, Al Dykes <(E-Mail Removed)> wrote:
o I read the paragraph, below, to say that I can do incomming
:netmeeting thru a NAT box to a PC with an RFC1918 address ? Assuming
:the answer is yes, what else (LDAP server ?) is required ?

I -think- that is what it means. There used to be a problem with
incoming H.323 not being supported, and when I went looking for the
documentation of that, I found that claim that starting in 6.2 something
they added ILS support ... so it just might work now.


If you look closely, you notice that I only quoted Cisco, rather
than referring to my own experience. We've never tried it.
--
Oh, yeah, an African swallow maybe, but not a European swallow.
That's my point.
 
Reply With Quote
 
Al Dykes
Guest
Posts: n/a
 
      10-28-2003
In article <bnmq4j$1ga$(E-Mail Removed)>,
Walter Roberson <(E-Mail Removed)-cnrc.gc.ca> wrote:
>In article <bnmot3$h2e$(E-Mail Removed)>, Al Dykes <(E-Mail Removed)> wrote:
>o I read the paragraph, below, to say that I can do incomming
>:netmeeting thru a NAT box to a PC with an RFC1918 address ? Assuming
>:the answer is yes, what else (LDAP server ?) is required ?
>
>I -think- that is what it means. There used to be a problem with
>incoming H.323 not being supported, and when I went looking for the
>documentation of that, I found that claim that starting in 6.2 something
>they added ILS support ... so it just might work now.
>
>
>If you look closely, you notice that I only quoted Cisco, rather
>than referring to my own experience. We've never tried it.
>--


I appreciate that distinction.

A little googling found

" NAT support for NetMeeting Directory" on cisco's web site. I'll
have to give it a carefull read.

http://www.cisco.com/univercd/cc/td/...os121/121newft
/121t/121t5/dtnatils.htm


Thanks

--
Al Dykes
-----------
(E-Mail Removed)

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-28-2003
In article <bnmr4e$on7$(E-Mail Removed)>, Al Dykes <(E-Mail Removed)> wrote:
:A little googling found

:" NAT support for NetMeeting Directory" on cisco's web site. I'll
:have to give it a carefull read.

:http://www.cisco.com/univercd/cc/td/...5/dtnatils.htm

That's for IOS, not for PIX. It can give guidance, but it might not
be applicable.
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald Knuth
 
Reply With Quote
 
Brian Bergin
Guest
Posts: n/a
 
      10-29-2003
(E-Mail Removed) (Al Dykes) wrote:

|
|10 is a good number.

Read the 501 specs. It is ~$400 for 10 connections or ~$650 for 50. Both have
3DES now. You state you have 100 connections. The 501 also stops at 50 users.
That's not 50 inbound that's 50 total connections. The 506E is ~$950 and
supports unlimited users and 25 VPN sessions. 501's support 10 VPN sessions
total and they count against your total users. Get a 506E, it has a faster CPU
and you won't run out of users. You'll be much happier. (then get a 501 for
home and use Cisco's point-to-point VPN between them)

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.
 
Reply With Quote
 
Al Dykes
Guest
Posts: n/a
 
      10-29-2003
In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
>(E-Mail Removed) (Al Dykes) wrote:
>
>|
>|10 is a good number.
>
>Read the 501 specs. It is ~$400 for 10 connections or ~$650 for 50. Both
>have
>3DES now. You state you have 100 connections. The 501 also stops at 50
>users.
>That's not 50 inbound that's 50 total connections. The 506E is ~$950 and
>supports unlimited users and 25 VPN sessions. 501's support 10 VPN

sessions
>total and they count against your total users. Get a 506E, it has a
>faster CPU and you won't run out of users. You'll be much happier.
>(then get a 501 for home and use Cisco's point-to-point VPN between them)
>




I thought there was an unlimited license for the 501. Agreed
that the 506E isn't lot's more. Thanks.


--
Al Dykes
-----------
(E-Mail Removed)

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-29-2003
In article <bnn18f$5mu$(E-Mail Removed)>, Al Dykes <(E-Mail Removed)> wrote:
:I thought there was an unlimited license for the 501. Agreed
:that the 506E isn't lot's more. Thanks.

There is. It's Cisco part PIX-501-UL-BUN-K9, and street prices
start about $US700. Street prices on PIX-506E-BUN-K9 start about
$US900. The 506E is more than 2 1/2 times faster, has unlimited
users, encrypts 5 to 6 times as quickly, and supports 25 VPN connections.
--
This signature intentionally left... Oh, darn!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simultaneous NAT overload (internet) and NAT overlapping for IPsec jayteezer Cisco 1 05-23-2010 02:45 PM
Survey: Does your company use Python? Do you know a company thatuses Python? VanL Python 1 08-07-2009 08:22 PM
AT&T dsl internet & dsl internet services providing company. Nancy Cisco 0 06-26-2009 08:48 AM
Internet connection problems-modem or cable company? Mike Easter Computer Support 6 12-24-2007 03:59 AM
1801 - PAT + NAT = NAT not working how I thought it should Steven Carr Cisco 7 10-21-2007 08:10 AM



Advertisments