NAT for an ISP

Andy Dills andy at
Wed Jun 4 22:51:40 UTC 2003

On Wed, 4 Jun 2003, Dan Armstrong wrote:

> 90% of our customers all use private address space.   We only give out
> real address space to customers that have servers that need to be
> visible.   We run NAT on several customer facing routers.
> Cool stuff we can do is setup PPTP VPNs on the same router to give
> people "access from home" to their LAN.  Same with L2TP/ILEC DSL.
> Problems include:
> We have a big nat pool on each router.  If some twerp customer gets
> infected with some windoze crap, tracking it down can be a bit more
> work.
> Until recently, the IOS could not take huge volumes of NAT without
> tossing it's cookies from time to time.
> We have been toying around with VRFs & NAT which was recently introduced
> in the IOS, and it appears that in a NAT situation, the VRFs "leak"
> between each other, which scares the crap out of me.  We are going to
> wait for a couple of revisions of the IOS before looking into that
> again.

Why on earth would you do anything other than push NAT responsibility to
the end-user CPE?

So you can do the aforementiond "cool stuff"?


Andy Dills
Xecunet, Inc.

More information about the NANOG mailing list