On Fri, 22 Dec 2000 16:55:48 +0100, TOMSON ERIC
<Eric(_dot_)Tomson(_at_)siemens(_dot_)atea(_dot_)be> said:
<EXAMPLE 1> I have a CATV connection at home. I get only 1 dynamic
public IP address. However, I have a small internal network (some
couple of computers). How can I guarantee a full Internet access to
each one of these computers? => By installing W2K A.S. with NAT on a PC
having 2 NICs (1 NIC connected to the CATV modem, 1 NIC connected to a
switch), allowing a full transparent Internet access to an undetermined
number of PC on my private LAN (depending on the range of private
addresses I use). </EXAMPLE 1> >
The problem is that "full transparent" is a crock. There's RFC2993
documenting just some of the things that aren't transparent.
Hint 1: Try getting IPsec to run through there, and see how far you get...
Hint 2: Try telnet'ing *INTO* one of the boxes behind the NAT from
outside.
<EXAMPLE 2> A company has a LAN composed of hundreds of computers and
wants to give some limited access to the Internet, to its internal
network. They subscribe to an ISP and ask for 10 fixed addresses. They
install a router and configure it with NAT in such a way that any 10
internal hosts can have concurrent connections to the Net by
dynamically getting a temporary map between their internal address and
one of the 10 public addresses. As soon as a PC disconnects, its mapped
address can be assigned to someone else. </EXAMPLE 2> >
Discussed in detail in RFC2993 (in particular, section 6 talks about
the TCP TIME_WAIT state and issues related to it)...,
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
pgptuRkpf4noj.pgp
Description: PGP signature