On 8/22/2011 7:31 PM, Hurt,Trenton William wrote: > > We have recently deployed wireless in all are residence halls and are > in the process of completing a ubiquitous wireless deployment across > our entire campus. We currently use public ips for the wireless > address space to serve client devices. We are concerned that we will > eventually run out of usable ips for client use in the near future, > and therefore have begun looking at moving to nat/pat environment. I > would like to hear from folks who have done this and get feedback > about any issues that they saw during/after this transition, and how > they handled them. (DMCA, gaming, etc.) I have searched the forum > and found these posts, but I would like to get a updated thread going > in case any new issues have arose since these posts. >
My four year old answer is in another Educause forum, http://seclists.org/educause/2007/q2/199 Short form of that is that we NAT the majority of our campus, servers included, and have for over a decade. There are some caveats: (1) You will need logging to maintain any degree of accountability of external-to-internal IP mapping at a give time. (2) You will be more susceptible to certain [D]DoS, but not much more so than any other stateful firewall implementation. (3) You really want one-to-one NAT, not overload/PAT. It can remain dynamic (shared public pool) but you really want one-to-one. (4) You must deal with DNS (internal/external, or stateful DNS inspection/translation by your NAT device). (5) IPv6 fans and IPv4 purists will snicker behind your back :) Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
