Re: NAT & PIX [7:38633]
I remember this from the some time ago. I tried it once and discovered that the last statement was redundant. It did PAT with the last address anyway. Not sure whether this is an IOS dependant thing or just a myth from the past (or possibly I'm wrong. I'll have to try it again some time. Unfortunately I'm working away on a 'Pixless' site at the moment.) Anybody confirm or ridicule? Cheers, Gaz ""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Quick note. The second command will only allow 50 NAT translations at a > time. Once 50 are full, then everyone else gets denied. > If you were to combine the 2 statements into: > > Global (outside) 1 192.168.1.1-192.168.1.49 netmask 255.255.255.0 > Global (outside) 1 192.168.1.50 netmask 255.255.255.0 > Nat (inside) 1 0 0 > > This will cause the first 49 address's to get used for NAT, while the .50 > will become an overflow, or overload/PAT address. > The NAT will always be used before the PAT session is used as well. > > > Thanks > > Larry > > -Original Message- > From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 9:27 AM > To: [EMAIL PROTECTED] > Subject: RE: NAT & PIX [7:38633] > > > Yes, > > With the two commands NAT and GLOBAL, you can specify exactly what you need: > > global (outside) 1 192.168.1.200 netmask 255.255.255.255 > > This will translate the inside address(es) specified with the NAT command to > ONE outside address. > > nat (inside) 1 0 0 > > This will translate all inside addresses to the address(es) specified with > the GLOBAL command. > > If you want every pc on the inside network to translate to 1 public address > (192.168.1.200) use these two commands: > > global (outside) 1 192.168.1.200 netmask 255.255.255.255 > nat (inside) 1 0 0 > > If you want every pc on the inside network to translate to 1 out of 50 > public addresses (192.168.1.201 thru 192.168.1.250) use these two commands: > > global (outside) 1 192.168.1.201-192.168.1.250 netmask 255.255.255.0 > nat (inside) 1 0 0 > > Hth, > > Ole > > ~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~ > http://www.RouterChief.com > ~ > Need a Job? > http://www.OleDrews.com/job > ~ > > > > > > > > -Original Message- > From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 4:18 AM > To: [EMAIL PROTECTED] > Subject: NAT & PIX [7:38633] > > > Hi > > I have a PIX firewall, and am using nat to let my clients access the > internet, but now I need to connect about a 100 clients, bases in an wan of > more than 50 places, all to the internet through the same ip address, > > so the question is, can I have some sort of a NAT list letting all the 100 > ip addresses get on the net through the one public address ?? > > Best regards ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38666&t=38633 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT & PIX [7:38633]
Quick note. The second command will only allow 50 NAT translations at a time. Once 50 are full, then everyone else gets denied. If you were to combine the 2 statements into: Global (outside) 1 192.168.1.1-192.168.1.49 netmask 255.255.255.0 Global (outside) 1 192.168.1.50 netmask 255.255.255.0 Nat (inside) 1 0 0 This will cause the first 49 address's to get used for NAT, while the .50 will become an overflow, or overload/PAT address. The NAT will always be used before the PAT session is used as well. Thanks Larry -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 9:27 AM To: [EMAIL PROTECTED] Subject: RE: NAT & PIX [7:38633] Yes, With the two commands NAT and GLOBAL, you can specify exactly what you need: global (outside) 1 192.168.1.200 netmask 255.255.255.255 This will translate the inside address(es) specified with the NAT command to ONE outside address. nat (inside) 1 0 0 This will translate all inside addresses to the address(es) specified with the GLOBAL command. If you want every pc on the inside network to translate to 1 public address (192.168.1.200) use these two commands: global (outside) 1 192.168.1.200 netmask 255.255.255.255 nat (inside) 1 0 0 If you want every pc on the inside network to translate to 1 out of 50 public addresses (192.168.1.201 thru 192.168.1.250) use these two commands: global (outside) 1 192.168.1.201-192.168.1.250 netmask 255.255.255.0 nat (inside) 1 0 0 Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 4:18 AM To: [EMAIL PROTECTED] Subject: NAT & PIX [7:38633] Hi I have a PIX firewall, and am using nat to let my clients access the internet, but now I need to connect about a 100 clients, bases in an wan of more than 50 places, all to the internet through the same ip address, so the question is, can I have some sort of a NAT list letting all the 100 ip addresses get on the net through the one public address ?? Best regards ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38651&t=38633 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT & PIX [7:38633]
Assuming that the 100 IP addresses you mention below are addresses on the inside network, the answer is yes, you can allow all of them and use only one public IP to get to the internet. Just enable PAT (Port Address Translation) using "global (inside) " command. HTH > Hi > > I have a PIX firewall, and am using nat to let my clients access the > internet, but now I need to connect about a 100 clients, bases in an wan of > more than 50 places, all to the internet through the same ip address, > > so the question is, can I have some sort of a NAT list letting all the 100 > ip addresses get on the net through the one public address ?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38637&t=38633 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT & PIX [7:38633]
Hi I have a PIX firewall, and am using nat to let my clients access the internet, but now I need to connect about a 100 clients, bases in an wan of more than 50 places, all to the internet through the same ip address, so the question is, can I have some sort of a NAT list letting all the 100 ip addresses get on the net through the one public address ?? Best regards ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38633&t=38633 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]