PIX501: Can have PAT / NAT both active


!--- Both PAT NAT active
global (outside) 1 interface
global (inside) 130200 192.168.100.130-192.168.100.200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sfaruqiAsked:
Who is Participating?
 
grbladesConnect With a Mentor Commented:
For internal machines accessing the Internet the difference between NAT and PAT is whether you put a single IP address or a range of IP addresses in the 'global' command.

Completely separately you can also use the 'static' command to allow incoming connections to the servers via PAT/NAT. If you don't specify ports in the static command then everything is translated so it is effectivly NAT. If one external IP address is used like this then you cannot specify the same external address with any other 'static' command.

Do you have a single fixed IP address for your DSL connection?
If you do then you can only really use PAT.
If you have multiple external IP addresses then you can use a combination.
0
 
grbladesCommented:
What is your exact question?

You can have NAT configured with a range of IP addresses. If you also define a single IP address (PAT) then when and if all the NAT IP's are used it will start to use PAT.
0
 
sfaruqiAuthor Commented:
grblades:

I heard that for some applications like Polycom web conferencing NAT is better solution so I want to setup PAT and NAT simultaneously for different applications.

I know how to do PAT for 192.168.100.6 for remote desktop, but to learn more I want to setup NAT for another PC 192.168.100.7 for same service.

access-list outside_access_in permit tcp any interface outside eq 5452
static (inside,outside) tcp interface 5452 192.168.100.6 3389 netmask 255.255.255.255 0 0

Can I have both NAT and PAT activate on PIX501 6.3 firewall and if so How?


0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
sfaruqiAuthor Commented:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewalltest
domain-name ciscopixtest.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service RmDskTp tcp
  description Remote Desk Top
  port-object range 3389 3389
object-group service Port5451http tcp
  description Http Port 5451
  port-object range 5451 5451
access-list outside_access_in permit tcp any interface outside eq 5452
access-list outside_access_in permit tcp any interface outside eq 5455
access-list outside_access_in permit tcp any interface outside eq 5451
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500

!--- Verizon DSL (Static)
ip address outside 141.157.215.104

!--- Verizon DSL (Dymanic)
NO ip address outside pppoe setroute

!--- Company Server
NO ip address outside dhcp setroute

ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.100.6 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 130200 192.168.100.130-192.168.100.200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5452 192.168.100.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 141.157.233.104 5451 192.168.100.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 141.157.233.104 5455 192.168.100.12 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 1:00:00
timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
crypto map mymap 10 ipsec-isakmp
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xyz
vpdn group pppoe_group ppp authentication pap
vpdn username xyz password ********* store-local
dhcpd address 192.168.100.2-192.168.100.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
[OK]
0
 
sfaruqiAuthor Commented:
grblades:

Good enough. Thanks. Let me see if I understood right that my above Pix config is based on single public IP and utilizing both PAT and NAT for internal address translation.

And if I get more IP addresses from ISP than I can have one public IP translated to one single Internal address for example my Server.

global (outside) 2 interface
global (inside) 130200 192.168.100.130-192.168.100.200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5452 192.168.100.2 3389 netmask 255.255.255.255 0 0

!--- Verizon DSL (Static)
ip address outside 141.157.215.104
ip address outside 141.157.215.105 (Additional IP)

!---
static (inside,outside) tcp 141.157.233.105 192.168.100.5 netmask 255.255.255.255 0 0

0
 
sfaruqiAuthor Commented:
Please if you have time check my other question.

http://www.experts-exchange.com/Security/Firewalls/Q_21186251.html
0
 
grbladesCommented:
These commands will translate all outbound traffic for machines without a fixed NAT translation using PAT to the external IP address of the PIX:-
ip address outside 141.157.215.104
global (outside) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

You don't need this:-
global (inside) 130200 192.168.100.130-192.168.100.200

To add additional NAT entries you just use a 'static' command and don't put additional 'ip address' commands for example:-
static (inside,outside) 141.157.233.105 192.168.100.5 netmask 255.255.255.255 0 0
Note there is no 'tcp' parameter since you are defining NAT. If you were defining a static PAT entry you would have the protocol and ports listed aswell.

0
 
sfaruqiAuthor Commented:
Thanks grblades
0
All Courses

From novice to tech pro — start learning today.