Re: HEOA Question

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On Mon, Jan 31, 2011 at 9:56 AM, Matthew Gracie <graciem () canisius edu> wrote:

> On 01/31/2011 09:44 AM, William Derwostyp wrote:

> > I am going to assume that there are other universities that use the NAT
> > process to control traffic on their perimeter and use non-routable
> > addresses on the internal network. Is there any tool or application I
> > can use that will help to tie the notices back to the person without
> > having to go back to public addressing?

> If you're using Cisco gear on the edge of the wireless network to handle
> the NATing, it might be helpful to turn on Netflow and send the flow
> data to a collector. Even an open-source tool like Flowviewer would give
> you better records of which client is passing what kind of traffic;
> depending on the number of IPs we're talking about, that might be
> sufficient to handle your HEOA demands.

I like netflow data, it gives you a great view into where folks are
going, and as Matt said, it can be really useful for tracking down who
did what (assuming you export pre-NAT), but conflicts can still arise.
Logging the translations is crucial.

It's my understanding that Cisco can log NAT translations. If you're
using pf for NAT you can log from the pfsync device (used for sharing
state between firewalls - specifically for sharing state between two
bridging firewalls) and parse the state creation/deletion times. Both
will allow for a timestamp, pre-NAT IP:port, the IP:port on the
external router interface and the IP:port of the destination.

I assume Juniper and the others can log the translations as well,
particularly since so many vendors build their devices on NetBSD and
FreeBSD.

kmw

-- 
Kevin Wilcox GPEN, GCIH
Network Infrastructure and Control Systems
Appalachian State University
Email: wilcoxkm () appstate edu
Office: 828.262.6259