With the number of hosts you mentioned, you should be able to easily use
a single IP address as your outside global IP and not require a
one-to-one mapping of inside to outside addresses. In other words, all
traffic from your site to the Internet would appear on the outside as 1
IP address. (this is PAT) This works by allocating a separate port for
each translation:
orginal src ip/port -translated src ip/port
------------------- -----------------------
10.1.1.1/1024 175.1.1.1/1025
10.1.1.2/1024 175.1.1.1/1026
etc.
etc.
This is normally done dynamically, however a cisco router allows you to
create static mappings that include port numbers, so if you only had a
single IP address, you could still provide access to internal servers.
For example, if you had a web server using address 10.1.1.3:
ip nat inside source static tcp 10.1.1.3 80 175.1.1.1 80
would send all incoming traffic to IP address 175.1.1.1 on port 80 to
internal address 10.1.1.3 on port 80. The limitiation is that you can't
have multiple servers using the same outside port. For example, you
couldn't create a second static mapping it tell the router to send
traffic inbound on port 80 to a second server. You could, however, have
multiple mappings for different ports:
ip nat inside source static tcp 10.1.1.4 25 175.1.1.1 25
ip nat inside source static tcp 10.1.1.5 110 175.1.1.1 110
etc
etc
As I said, this feature is useful if you only have a single or very few
registered IP addresses. This feature is available on cisco routers,
but not on the PIX.
I would recommend you take a look at the cisco nat information:
http://www.cisco.com/warp/public/732/nat/
Several examples of NAT are also included in "Cisco Access Lists Field
Guide", of which I am co-author.
HTH,
Kent
[EMAIL PROTECTED] wrote:
>
> I am confused, I generally set up the NAT pool separate from my IP's that I
> will statically map to my inside hosts. Are you saying that I can use an IP
> address from my NAT range for this? And, please ellaborate on mapping hosts
> using the PATed address on a cisco router. How could you statically map more
> than one internal host using a PAT address?
>
> -----Original Message-----
> From: Kent Hundley
> To: Duncan Maccubbin; [EMAIL PROTECTED]
> Sent: 6/6/00 2:04 PM
> Subject: Re: PAT vs NAT
>
> The PAT implementation on the PIX does not currently support the ability
> to include port information in its static mappings. You need an
> additional IP address for every host you want to be globally
> accessible. For example, you couldn't reserve port 80 for an internal
> web server to be reachable via the PATed address. (you can do this on a
> cisco router)
>
> If you have a requirement for globally accessible servers, this would be
> a situation where you would need NAT instead of PAT on the PIX.
>
> HTH,
> Kent
>
> Duncan Maccubbin wrote:
> >
> > I'm wondering what NAT gives me over PAT. On my PIX I believe it can
> do
> > 65,000 translations on PAT. If I have <100 users behind it what is the
> > advantage of using NAT?
> >
> > Duncan
> > ===========================================
> > Duncan Maccubbin | [EMAIL PROTECTED]
> > Senior Network Engineer
> > MCP+I,MCSE,CCNA,CCDA,CCNP
> > CapuNet, LLC - Corporate Internet Solutions
> > (301) 881-4900 x8039
> > ===========================================
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> --
> ##################################################
> Kent Hundley Lucent Networkcare
> CISSP, CCSE Sr. Network Consultant
> ##################################################
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
