Hi, I seem to be missing something with Pix NAT/PAT, anyone got a comment?
The external interface of the Pix is located in a small /29 subnet (8 IPs). Subtract net and broadcast adresses, one IP for the router, one for the Pix interface, so there's 4 IP addresses left. Firewall owner wants 2 external addresses statically translated to internal servers (say mail/www), now 2 IPs left. Owner also wants about 50 internal hosts to access the Internet via NAT. Pix software version is 6.0. Is the following statement true? "With a Pix, you can't reasonably NAT ~50 internal hosts to only 2 registered external IP addresses." I expected to do n:1 translation as with Ipfilter or Linux masquerading. Pix recommends to have a NAT address pool and additionally a single PAT "overflow" address, and it bites if you don't follow that recommendation. A NAT address pool is defined as an IP address range, so the smallest possible NAT pool takes 2 IP addresses. Now add the PAT address. Need 3 IPs, have 2, problem. Also, from what I understand, it's perfectly unwise to use a NAT pool of size 2 for ~50 internal hosts to be NATted. Tried with PAT only, no NAT pool. Internal user tests with a browser, using an IP address for the URL, works fine. User tests with FQDN, does not work - ok, debug DNS lookups. In the Pix logs, I see that for the nameserver queries (UDP/53 to 1.2.3.4) the *destination* port got translated (something like "faddr 1.2.3.4/4789" from the Pix log). Huh?? Suspected the missing NAT pool, created a 2 address pool, works. Also tried with NAT pool only, no PAT address, just for kicks. With a NAT pool of size 2, exactly two internal machines could connect to the Internet, any third machine would fail. This is in accordance to documented Pix behavior, that's why Cisco recommends using a PAT address to handle the "overflow". So, unless I'm really missing something, it looks like the Pix needs a bunch of registered external IP addresses to operate correctly. Should I recommend to register a 64-address range for a customer with ~50 internal hosts, a few static translations, and some room for growth? I can't believe that the minimum requirement for deploying a Pix is having a wide range of registered IP addresses. Your comments are appreciated. Thanks. chakl -- Olaf Schreck - [EMAIL PROTECTED] - Syscall Network Solutions AG, Berlin _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
