Our NAT is performed by our firewalls (Cisco ASAs) at the last hop before the border router. Everything "inside" (packet shaping, IPS/IDS, etc) is dealing with the internal addresses, the only use of the external IPs is when we receive "external" reports.
We have adequate NAT pools to do 1-to-1 dynamic NAT, with some room for overload overflow. This simplifies the "outside-to-inside" translation by just looking at the IPs of the connections, or when feasible, just looking at the 1-to-1 assignment and release log messages (if you have persistently active inside clients, you won't get these messages with any regularity). We send the ASA logs to a generic syslog server at the moment. We've tried throwing it into various log correlation systems (ArcSight, Splunk, etc) but the sheer volume will make your life miserable for what you really want SIEM integration to be doing. So we only refer to the bulk logs for inside-to-outside correlation and deal with everything else on an internal IP basis (which we can correlate comfortably). Jeff On 6/20/2013 11:25 PM, Charles Rumford wrote: > We are currently investigating different NAT solutions and deployments, and I > would be curious how other schools handle the legal aspects of connection > tracking, and keeping users accountable for their actions. > > We are starting from scratch, and open to trying and investigating different > solutions. > > -Charles > > On Jun 19, 2013, at 11:43 AM, Michael Hulko <mihu...@uwo.ca> wrote: > >> This subject was introduced a year ago, and several schools had varying >> methods of recording NAT'd communications for legal requirements. Several >> schools use the same process as we do, using a combination of Airwave, >> LanGuardian, and Netflow. We had avoided using Connection tracking local on >> the box as we feel that this would greatly impact service. I am interested >> to know what other schools are doing in this arena, if anything? >> >> Michael Hulko >> Network Analyst >> >> Western University Canada >> Network Operations Centre >> Information Technology Services >> 1393 Western Road, SSB 3300CC >> London, Ontario N6G 1G9 >> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.