KCN: to NAT or not...
I'm hoping this is the right place to post, the SEGfL site seems to imply that Kent is part of their network. If this is not the right place, then I guess I'll be needing a seperate KCN forum.
Anyway, NAT. KCN supply the school with a /30 (1022 addresses) IP range. This is insufficient for our needs, we have over 1000 devices on the network already. So, we have in place a PIX firewall that is performing NAT for our VLANed network, but both the school and EIS are considering it's removal. I read that they will now supply us with a Cisco 2811 that they can configure to do NAT (?), but have not yet managed, after over a week of waiting, to speak to anyone at EIS on this subject.
My prefered soultion is normally to use ISA 2006 in firewall mode to do NAT, firewall the network, cache and filter web traffic, and publish web servers. KCN on the other hand, already supply us with one ISA 2004 (WebSense) that is caching & filtering web traffic, and are suggesting we install another ISA box, in single NIC mode, to simply be used for re-directing and publishing our internal servers onto the web.
I would like to know if:
- any other schools are running the KCN Cisco 2811 as a gateway to VLAN'ed network.
- or if you've got more than the standard /30 address space from them
- come up with other solutions that EIS have allowed you to implement (or managed to implement without their help!)
We have a similar setup, EIS approached us a little while go about removing our pix and moving onto there range we told them we would consider it but have herd little since we have had a KCN Cisco 2811 behind the pix for quite sometime now. They should be able to give you more address space than that, personally i would just leave things well enough alown or if need be have the 2811 do NAT which should be easy enough to implement. Speak with Adam Page at EIS and he should be able to accomidate you somehow.
Yes, SEGfL is Kent, amongst others. Used to call it Seagull in the days before KCN!
We've had a 2811 in place for awhile now, with an additional ISA server (...in additional to the WebSense box...) for re-routing web hosting.
We also ran out of KCN-assigned IPs some time ago, but were lucky enough that quite a number of nodes don't need Internet access (printers, WAPs, laptops deliberately Internet-less, etc.), so put them on a different scope. Touch-wood, we're OK at the moment.
They really should allocate you more if you need it. Talk to Gavin Hutchinson or Marc Turner, they've always got the job done when I've needed something).
We applied to KCN to give us a range extension when we ran out of IP's.
They could not extend our range as it had already been used elsewhere but they did give us a brand new /20 range (4024 IP's).
Worth asking as all they do is change thier routing tables rather than you having to use NAT. Depends on if they have any spare and if they want to charge you or not.
It was a bit of a pain moving the whole network over to a new range but not as bad as I'd first envisaged.
Better to have a new range than NAT if they will give one to you and you plan your switchover 1st correctly.