On 7/16/12, Grant Ridder <shortdudey...@gmail.com> wrote: > If you are running an HA pair, why would you care which box it went back > through?
You wouldn't. But if you've got an HA pair at site A and another HA pair at site B.. Lee > > -Grant > > On Monday, July 16, 2012, Mark Andrews wrote: > >> >> In message <CAD8GWsswFwnPKTfxt= >> squumzofs3_-yrihy8o4gt3w9+x6f...@mail.gmail.com <javascript:;>>, Lee >> writes: >> > On 7/16/12, Owen DeLong <o...@delong.com <javascript:;>> wrote: >> > > >> > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >> being >> > > able to eliminate NAT. NAT was a necessary evil for IPv4 address >> > > conservation. It has no good use in IPv6. >> > >> > NAT is good for getting the return traffic to the right firewall. How >> > else do you deal with multiple firewalls & asymmetric routing? >> >> Traffic goes where the routing protocols direct it. NAT doesn't >> help this and may actually hinder as the source address cannot be >> used internally to direct traffic to the correct egress point. >> >> Instead you need internal routers that have to try to track traffic >> flows rather than making simple decisions based on source and >> destination addresess. >> >> Applications that use multiple connections may not always end up >> with consistent external source addresses. >> >> > Yes, it's possible to get traffic back to the right place without NAT. >> > But is it as easy as just NATing the outbound traffic at the >> > firewall? >> >> It can be and it can be easier to debug without NAT mangling >> addresses. >> >> The only thing helpful NAT66 does is delay the externally visible >> source address selection until the packet passes the NAT66 box. >> >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: >> ma...@isc.org<javascript:;> >> >> >