We do this with A10 Networks CGN boxes. They have a feature they call fixed NAT, which predetermines some number of inside addresses to a pool of outside addresses. These mapping are static, so when you get a particular inside address you'll always get a particular outside address within a defined static port range. If you know one you'll know the other. We log the traffic, so we can pretty much look back and time correlate use via DHCP and 802.1x.
Bruce Boardman Networking Syracuse University 315 412-4156 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jerry Bucklaew Sent: Wednesday, January 14, 2015 2:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT tracking question To ALL: We have a large Cisco wireless deployment with public ip address space. Getting more public IP's is getting difficult so we are considering going to NAT. The issue we have with NAT is that we still want to be able to map an outside IP back to a individual user. Once you go to NAT that of course becomes more difficult to do. I know a lot of you are probably already doing this and I was wondering how and what products do you use? I assume most have a one to many NAT and then use something like a netflow collector to to track the inside NAT IP to the outside Src-IP/DST-IP/Port/Time. Any good working solutions or products would be helpful. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.