Given the following simplistic network
Network http://www.vbforums.com/picture.php?albumid=18&pictureid=47
[IMG]http://www.vbforums.com/picture.php?albumid=18&pictureid=47[/IMG]
Would it be possible to construct NAT / PAT pools such that the PC's attached to the network could be identified by their port number. I understand that if I assign a public IP to each user I can identify them. What I am trying to do is to conserve Public IP's, but maintain the ability to identify the user from the public network. If your answer is vendor specific that is OK with me. Thanks in advance.
All you would have to do is look at the current nat translation table on the nat device to see what port the IP maps to. For instance on a Cisco router 192.168.1.82 connecting to google via pat to the public ip of 12.12.12.12:
Update:
I think I understand now. I don't know of any implementation of this, but I don't see why it wouldn't work. You could in theory map each internal ip to a different port range. Since overload translates the internal ip/tcp src port combo to an external ip/tcp source port, you could assign certain external source port ranges for each internal IP (previous could also be udp ports). For example:
The problem with overloading is that you start to limit the possible connections, because instead of a normal 4 item combination to identify a session (source ip, source port, destination ip, destination port), you are limited it to 3. So when you restrict one of these even more by limit the port range you limit the number of sessions. So in my above example, you ip 192.168.1.2 could only have up to 2000 connections to any specific public ip. I also don't know if a overload code works like this, as it might use just the source port to translate instead of the source port / source ip (talking about return packets here) to be faster.
Maybe you could get around that with sequence number trickery, but I think that would take a lot of tcp reworking and open up security holes. If this has been implemented I will be a little surprised. NAT is kind of a hack I think to help with ip shortage. PAT/Overload is kind of a further hack of this, making it a hack of a hack. To start identifying sessions by sequence numbers would then be a hack of a hack of hack. At that point, it is really time IPv6 already :-)
On a Cisco router you can do the following:
This will cause each translation to get sent to the syslog server. The entries will look something like:
which mirrors the output of "show ip nat translation" on the router. You should get log messages when a translation is created and deleted.
Ok, so if this is just for General access outbound from your network, then all you're really gonna need is a standard NAT-T + DHCP box. With the DHCP, you can either do Static DHCP, or have high lease times, so that the machines on the inside keep the same address. Then you can always know who's who.
The problem with using ports on the public side to identify internal machines, when you're just doing general outbound access, is that the return ports are going to be randomly generated on the server the user is connecting to. So there is no way to really track or guess what that's going to be.
If you were doing inbound connections, then you just setup PAT/Port forwarding to the internal address of choice, but that's not the case here.
As for solutions, pretty much anything on the market will do this, you can also setup IPtables + dhcpd, on Linux, or a PF + dhcpd solution on BSD machines.