 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
On Fri, 22 Dec 2000 16:55:48 +0100, TOMSON ERIC <Eric.Tomson at siemens.atea.be> said: > <EXAMPLE 1> I have a CATV connection at home. I get only 1 dynamic > public IP address. However, I have a small internal network (some > couple of computers). How can I guarantee a full Internet access to > each one of these computers? => By installing W2K A.S. with NAT on a PC > having 2 NICs (1 NIC connected to the CATV modem, 1 NIC connected to a > switch), allowing a full transparent Internet access to an undetermined > number of PC on my private LAN (depending on the range of private > addresses I use). </EXAMPLE 1> > The problem is that "full transparent" is a crock. There's RFC2993 documenting just some of the things that aren't transparent. Hint 1: Try getting IPsec to run through there, and see how far you get... Hint 2: Try telnet'ing *INTO* one of the boxes behind the NAT from outside. > <EXAMPLE 2> A company has a LAN composed of hundreds of computers and > wants to give some limited access to the Internet, to its internal > network. They subscribe to an ISP and ask for 10 fixed addresses. They > install a router and configure it with NAT in such a way that any 10 > internal hosts can have concurrent connections to the Net by > dynamically getting a temporary map between their internal address and > one of the 10 public addresses. As soon as a PC disconnects, its mapped > address can be assigned to someone else. </EXAMPLE 2> > Discussed in detail in RFC2993 (in particular, section 6 talks about the TCP TIME_WAIT state and issues related to it)..., -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
pgpM2SJLrf8YM.pgp
Description: PGP signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.