PIX501: Can have PAT / NAT both active


!--- Both PAT NAT active
global (outside) 1 interface
global (inside) 130200 192.168.100.130-192.168.100.200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sfaruqiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
What is your exact question?

You can have NAT configured with a range of IP addresses. If you also define a single IP address (PAT) then when and if all the NAT IP's are used it will start to use PAT.
0
sfaruqiAuthor Commented:
grblades:

I heard that for some applications like Polycom web conferencing NAT is better solution so I want to setup PAT and NAT simultaneously for different applications.

I know how to do PAT for 192.168.100.6 for remote desktop, but to learn more I want to setup NAT for another PC 192.168.100.7 for same service.

access-list outside_access_in permit tcp any interface outside eq 5452
static (inside,outside) tcp interface 5452 192.168.100.6 3389 netmask 255.255.255.255 0 0

Can I have both NAT and PAT activate on PIX501 6.3 firewall and if so How?


0
sfaruqiAuthor Commented:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewalltest
domain-name ciscopixtest.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service RmDskTp tcp
  description Remote Desk Top
  port-object range 3389 3389
object-group service Port5451http tcp
  description Http Port 5451
  port-object range 5451 5451
access-list outside_access_in permit tcp any interface outside eq 5452
access-list outside_access_in permit tcp any interface outside eq 5455
access-list outside_access_in permit tcp any interface outside eq 5451
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500

!--- Verizon DSL (Static)
ip address outside 141.157.215.104

!--- Verizon DSL (Dymanic)
NO ip address outside pppoe setroute

!--- Company Server
NO ip address outside dhcp setroute

ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.100.6 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 130200 192.168.100.130-192.168.100.200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5452 192.168.100.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 141.157.233.104 5451 192.168.100.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 141.157.233.104 5455 192.168.100.12 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 1:00:00
timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
crypto map mymap 10 ipsec-isakmp
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xyz
vpdn group pppoe_group ppp authentication pap
vpdn username xyz password ********* store-local
dhcpd address 192.168.100.2-192.168.100.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
[OK]
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

grbladesCommented:
For internal machines accessing the Internet the difference between NAT and PAT is whether you put a single IP address or a range of IP addresses in the 'global' command.

Completely separately you can also use the 'static' command to allow incoming connections to the servers via PAT/NAT. If you don't specify ports in the static command then everything is translated so it is effectivly NAT. If one external IP address is used like this then you cannot specify the same external address with any other 'static' command.

Do you have a single fixed IP address for your DSL connection?
If you do then you can only really use PAT.
If you have multiple external IP addresses then you can use a combination.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sfaruqiAuthor Commented:
grblades:

Good enough. Thanks. Let me see if I understood right that my above Pix config is based on single public IP and utilizing both PAT and NAT for internal address translation.

And if I get more IP addresses from ISP than I can have one public IP translated to one single Internal address for example my Server.

global (outside) 2 interface
global (inside) 130200 192.168.100.130-192.168.100.200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5452 192.168.100.2 3389 netmask 255.255.255.255 0 0

!--- Verizon DSL (Static)
ip address outside 141.157.215.104
ip address outside 141.157.215.105 (Additional IP)

!---
static (inside,outside) tcp 141.157.233.105 192.168.100.5 netmask 255.255.255.255 0 0

0
sfaruqiAuthor Commented:
Please if you have time check my other question.

http://www.experts-exchange.com/Security/Firewalls/Q_21186251.html
0
grbladesCommented:
These commands will translate all outbound traffic for machines without a fixed NAT translation using PAT to the external IP address of the PIX:-
ip address outside 141.157.215.104
global (outside) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

You don't need this:-
global (inside) 130200 192.168.100.130-192.168.100.200

To add additional NAT entries you just use a 'static' command and don't put additional 'ip address' commands for example:-
static (inside,outside) 141.157.233.105 192.168.100.5 netmask 255.255.255.255 0 0
Note there is no 'tcp' parameter since you are defining NAT. If you were defining a static PAT entry you would have the protocol and ports listed aswell.

0
sfaruqiAuthor Commented:
Thanks grblades
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.