Solved

Cisco Pix - NAT pool

Posted on 2006-11-20
5
755 Views
Last Modified: 2013-11-16
Cisco PIX 501
PIX ver 6.3.(3)117

I have NAT pool set up from x.x.x.71-x.x.x.125, which gives me 59 addresses.  I have anywhere from 45-65 internal clients at any one time.  I also have a PAT address of x.x.x.2.  I have been running out of addresses lately, so I dropped the release time to 15 minutes, which seems to have resolved the problem for now.

1.  Why isn't my PAT address taking over when my NAT pool is used.

2.  Is there a way to list the NAT addresses that are currently in use (some sort of grid that shows z.z.z.10-x.x.x.10).

3.  Whats the best solution to resolve my lack out addresses for each client.

Thanks,
Darren
0
Comment
Question by:darrennelson
  • 3
  • 2
5 Comments
 

Author Comment

by:darrennelson
ID: 17984084
also, my internal static addresses go from z.z.z.8-71, so I can't lower my NAT pool addresses lower than x.x.x.71.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 17984139
1.  Are a lot of your users doing streaming audio/video for long periods of time?? What's your config look like?  Please post your complete but "sanitized" config (passwords removed, public IPs masked like so: x.x.23.4).  
   But more importantly:
A) What's the output of "sh ver"?  Unless this PIX has an "Unlimited" license, the next smaller size license is for 50 simultaneous inside IPs that can gain Internet access.
B) Even if you have a 50-user or "unlimited" license on this PIX, the practical limit is actually around <50 clients - the little 501 just can't handle too many inside hosts.
C) Looks like you're running a beta version of 6.3 series software? If this PIX has current SmartNet, I highly suggest upgrading to 6.3(5) - a solid version with many, many bugfixes & security fixes.

2. "sh xlate" shows your current NAT table.

3.  Just curious why you feel you need a single address for each client?  If you have >40 busy inside hosts, I'd suggest moving up to a PIX 506E (has a single license mode of "unlimited" & can service around 100 clients), or a PIX 515E with can service 200+ clients.

cheers
0
 

Author Comment

by:darrennelson
ID: 17988861
1.  No, but this was all configured before I came onboard.  We have since doubled the number of clients on the network. (config at end of post)

A) we an unlimited license
B) 'sh xlate' shows "55 in use, 82 most used"
C) I have looked into the software versioning, looks like the company didnt want to shell out the money for anything more.

2. N/A

3. I don't think we need a single address for each client, but once again, it was configured before I came onboard.  I wouldn't mind putting the majority of clients on a PAT address, but I have heard that PATing won't work with things like SSL and other connections aside from basic HTTP.

This is probably for the best, because we dont have much in the way of policy or procedure.  I don't see getting a budget money for a new piece of hardware, so I will have to come up with an alternate solution.  I am considering subnetting our network.  We have quit a few contractors and outside vendors that currently all pull from the same pool.  I think with the combination of a subnet and PATing, I can come up with a solution.

Here is the config file, I would appreciate comments on the above paragraph.

: Saved
: Written by enable_15 at 14:32:47.909 UTC Thu Nov 16 2006
PIX Version 6.3(3)117
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
hostname XXXXXXXX
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name z.z.z.19 C3_Proserver
name z.z.z.6 NT1
name z.z.z.3 PDC
name z.z.z.60 DanXP
name z.z.z.61 c3Mac02
name z.z.z.70 QAslave
name z.z.z.69 C3mtq
name z.z.z.67 QA03_nicole
name z.z.z.68 QA02_Susan
name z.z.z.65 QA01_Bart
name z.z.z.22 Clash
name z.z.z.62 DP2k
name z.z.z.15 GoGos
name z.z.z.5 nt2
name z.z.z.25 SQLSERVER2k
name z.z.z.36 Sting
name z.z.z.8 domain.com
name z.z.z.47 domain.com
name z.z.z.43 Mshirley.com
name z.z.z.42 domain.org
name z.z.z.41 domain.com
name z.z.z.11 SPS01
name z.z.z.34 Fixx
name z.z.z.39 FMEC
name z.z.z.64 c3MTQ2
name z.z.z.49 southbaysailing
name z.z.z.55 Qa05
name z.z.z.9 U2
name z.z.z.17 Styx
name x.x.x.1 GatewayRouter
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit tcp any host x.x.x.8 eq www
access-list outside_access_in permit tcp any host x.x.x.8 eq ftp
access-list outside_access_in permit tcp any host x.x.x.43 eq www
access-list outside_access_in permit tcp any host x.x.x.42 eq www
access-list outside_access_in permit tcp any host x.x.x.47 eq www
access-list outside_access_in permit tcp any host x.x.x.41 eq www
access-list outside_access_in permit tcp any host x.x.x.39 eq www
access-list outside_access_in deny tcp host AceVirus any eq smtp
access-list outside_access_in deny tcp host safesecureweb any
access-list outside_access_in permit tcp any host x.x.x.11 eq www
access-list outside_access_in permit tcp any host x.x.x.17 eq pptp
access-list outside_access_in permit tcp any host x.x.x.36 eq smtp
access-list outside_access_in permit tcp any host x.x.x.36 eq www
access-list outside_access_in permit tcp any any eq ldap
access-list outside_access_in permit tcp any any eq 522
access-list outside_access_in permit tcp any any eq 1503
access-list outside_access_in permit tcp any any eq h323
access-list outside_access_in permit udp any any range 1024 65535
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any host x.x.x.70 range 5800 5821
access-list outside_access_in permit tcp any host x.x.x.70 range 5900 5921
access-list outside_access_in permit udp any host x.x.x.70 range 5800 5821
access-list outside_access_in permit udp any any range 5900 5921
access-list outside_access_in permit tcp any host x.x.x.70 eq 3389
access-list outside_access_in permit udp any host x.x.x.70 eq 3389
access-list outside_access_in permit tcp any host x.x.x.15 eq domain
access-list outside_access_in permit udp any host x.x.x.15 eq domain
access-list outside_access_in permit udp any host x.x.x.5 eq domain
access-list outside_access_in permit tcp any host x.x.x.5 eq domain
access-list outside_access_in permit udp any host x.x.x.5 eq nameserver
access-list outside_access_in permit tcp host BBlachford host x.x.x.22 eq w
ww
access-list outside_access_in permit tcp host BBlachford host x.x.x.34 eq w
ww
access-list outside_access_in permit ip host BBlachford host x.x.x.19
access-list outside_access_in permit ip x.x.x.0 255.255.255.128 host 67.135
.202.25
access-list outside_access_in permit tcp any host x.x.x.5 eq pptp
access-list outside_access_in permit tcp any host x.x.x.6 eq www
access-list outside_access_in permit tcp any host x.x.x.49 eq www
access-list outside_access_in permit udp any eq isakmp host x.x.x.55 eq isa
kmp
access-list outside_access_in permit esp any host x.x.x.55
access-list outside_access_in permit ah any host x.x.x.55
access-list outside_access_in permit udp any eq 10000 host x.x.x.55 eq 1000
0
access-list outside_access_in permit tcp any range 6001 6002 host x.x.x.36
range 6001 6002
access-list outside_access_in permit tcp any eq 6004 host x.x.x.36 eq 6004
access-list outside_access_in permit tcp any eq 6004 host x.x.x.9 eq 6004
access-list outside_access_in permit tcp any eq 6002 host x.x.x.9 eq 6002
access-list outside_access_in permit tcp any eq 593 host x.x.x.36 eq 593
access-list outside_access_in permit tcp any eq 593 host x.x.x.9 eq 593
access-list outside_access_in permit tcp any host x.x.x.36 eq https
access-list outside_access_in permit tcp host OfficeDepot host x.x.x.36
access-list outside_access_in permit esp any any
access-list outside_access_in permit tcp any host x.x.x.36 eq sunrpc
pager lines 24
logging on
logging timestamp
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.2 255.255.255.128
ip address inside z.z.z.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool z.z.z.250-z.z.z.255
pdm location z.z.z.0 255.255.255.0 inside
pdm location PDC 255.255.255.255 inside
pdm location NT1 255.255.255.255 inside
pdm location C3_Proserver 255.255.255.255 inside
pdm location QA03_nicole 255.255.255.255 inside
pdm location QA02_Susan 255.255.255.255 inside
pdm location z.z.z.0 255.255.255.255 inside
pdm location DanXP 255.255.255.255 inside
pdm location c3Mac02 255.255.255.255 inside
pdm location QAslave 255.255.255.255 inside
pdm location C3mtq 255.255.255.255 inside
pdm location QA01_Bart 255.255.255.255 inside
pdm location c3MTQ2 255.255.255.255 inside
pdm location Clash 255.255.255.255 inside
pdm location BBlachford 255.255.255.255 outside
pdm location DP2k 255.255.255.255 inside
pdm location c3exchange 255.255.255.255 inside
pdm location GoGos 255.255.255.255 inside
pdm location nt2 255.255.255.255 inside
pdm location SQLSERVER2k 255.255.255.255 inside
pdm location Styx 255.255.255.255 inside
pdm location Sting 255.255.255.255 inside
pdm location Spam1 255.255.255.255 outside
pdm location Spam1 255.255.255.0 outside
pdm location domain.com 255.255.255.255 inside
pdm location domain.com 255.255.255.255 inside
pdm location domain.com 255.255.255.255 inside
pdm location SPS01 255.255.255.255 inside
pdm location Fixx 255.255.255.255 inside
pdm location AceVirus 255.255.255.255 outside
pdm location z.z.z.23 255.255.255.255 inside
pdm location safesecureweb 255.255.255.255 outside
pdm location FMEC 255.255.255.255 inside
pdm location southbaysailing 255.255.255.255 inside
pdm location Qa05 255.255.255.255 inside
pdm location U2 255.255.255.255 inside
pdm location x.x.x.0 255.255.255.128 inside
pdm location x.x.x.2 255.255.255.255 outside
pdm location GatewayRouter 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 x.x.x.71-x.x.x.125 netmask 255.255.255.128
global (outside) 1 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.6 NT1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.67 QA03_nicole netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.68 QA02_Susan netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.3 PDC netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.60 DanXP netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.61 c3Mac02 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.70 QAslave netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.69 C3mtq netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.65 QA01_Bart netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.64 c3MTQ2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.22 Clash netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.62 DP2k netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.5 nt2 netmask 255.255.255.255 0 25
static (inside,outside) x.x.x.25 SQLSERVER2k netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.15 GoGos netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.17 Styx netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.17 Styx netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.36 Sting netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 domain.com netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.42 domain.org netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.47 domain.com netmask 255.255.255.255 0
0
static (inside,outside) x.x.x.41 domain.com netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.11 SPS01 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.34 Fixx netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.55 Qa05 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.9 U2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
rip outside default version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 GatewayRouter 1
timeout xlate 0:15:00
timeout conn 0:20:00 half-closed 0:05:00 udp 0:01:00 rpc 1:00:00 h225 1:00:00
timeout h323 0:10:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.0 255.255.255.128 outside
http z.z.z.0 255.255.255.0 inside
http x.x.x.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside QAslave TFTP-Root/
floodguard enable
telnet x.x.x.2 255.255.255.255 outside
telnet QAslave 255.255.255.255 inside
telnet z.z.z.0 255.255.255.0 inside
telnet C3mtq 255.255.255.255 inside
telnet c3MTQ2 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain Connect3
terminal width 80
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 250 total points
ID: 17992560
 Ok, an 'unlimited' license simplifies things.   Too bad management isn't yet convinced to upgrade to a larger PIX. Well, they'll be convinced the day the boss can't send email, can't surf a favorite website or Internet is just too slow.

  Bingo - the reason why you're running out of IPs is that PAT isn't correctly configured.  Run this:
no global (outside) 1 interface
global (outside) 2 interface
clear xlate

  Now with that in place, once your pool of IPs (x.x.x.71-x.x.x.125) are used up at a given moment, the PIX simply will PAT outbound traffic via the outside interface IP.  Normally you don't need to, but since this is an older & very possibly a beta version, you might need to reboot the PIX (after saving the config via "wr mem").

>3. ...putting the majority of clients on a PAT address, but I have heard that PATing won't work with things
> like SSL and other connections aside from basic HTTP.
   You were misinformed.  The main things that PAT might break are some multimedia traffic, possibly PPTP VPN, possibly VoIP.  The vast majority of regular traffic works perfectly fine w/ PAT, such as SSL, FTP, email, streaming radio stations, etc etc.

Hmm, quite a few static NAT entries... Are the majority of these simply workstations?? eg: QA03_nicole, QA02_Susan, DanXP, etc?
  I'd remove all the workstation entries since they're completely unnecessary unless you're hosting some kind of service on that PC such as a webserver or something (I sincerely hope not!) that the outside world would need to access.  Either ask users on the workstations to stay off the Internet for 5 min, or do this after hrs. eg:
clear xlate
no static (inside,outside) x.x.x.64 c3MTQ2  <- if this is a workstation
no static (inside,outside) x.x.x.60 DanXP
 ...etc...
clear xlate  <- or save config & reboot PIX

  If you're thinking of dividing up your network by subnetting & have very little budet, then you're pretty much stuck getting a couple of little SOHO routers/firewalls & put them behind the PIX.  Each router will have it's own separate subnet behind it, & for simplicity just PAT those subnets to the PIX inside subnet, eg:

Internet <-> PIX (z.z.z.1) <-> (z.z.z.254) router1 (10.1.1.1) <-> 10.1.1.x subnet
                             |
                       (z.z.z.253)
                         router2
                       (10.1.2.1)
                             |
                     10.1.2.x subnet

cheers
0
 

Author Comment

by:darrennelson
ID: 17998474
Excellent info Calvin, I'm going to make changes over the holiday weekend.

Yes, those are workstations with static ip's.  The reason for that is those users support our product in other companies that require we come in from the same address.

Thanks Again,

Darren
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 1830 AP behaving wierdly 7 28
cisco nexus experiance 2 30
Quality settings for cisco routers 8 26
Access List 4 14
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now