Problems with removing NAT from a network

Thu Jan 6 03:08:51 UTC 2011

You didn't mention, but are you introducing a second border router? Is
the new upstream circuit from a new provider, or is it a second,
redundant circuit to the same provider in a different POP? Does your
customer have their own portable address space, or are they using
provider address space?

I'll make some presumptions: yes, it is a different provider, and no,
they don't have their own address space.

Based on those guesses/presumptions, I'd push to acquire portable
address space. Advertise it to both providers, carve a chunk of that
address space off and route it to a firewall(s) to perform border NAT.
Migrate old, provider dependent external NAT space to new, portable
address space.

-M

On Wed, Jan 5, 2011 at 6:38 PM, ML <ml at kenweb.org> wrote:
> I've got a customer that is looking to multihome with upstreams in two POPs.
>  Currently they multihome in one POP and utilize a single edge router for
> some one to one NAT and some PAT for their users.
>
> Before they turn up the BGP peer in the new POP I've advised them to abolish
> NAT once and for all in order to avoid issues with non-stateful NAT between
> network edges and possible asymmetric routing of their Internet traffic.
>
> The PAT can be removed easily enough.  The tricky part is the one-one NAT.
> They have quite a few systems which have 1918 IPs which they claim "cannot
> be changed". At least not without some painful rebuilds of criticals systems
> which have these IPs deeply embedded in their configs.
>
> Has anyone here had to fix this kind of problem before? Is there a solution
> that would allow NAT to offloaded to a smaller device hanging off each edge
> router that can communicate state between each other in case traffic is
> asymmetrically routed?
>
>