On 29 Nov 2001 at 14:15, Olaf Schreck wrote: > I seem to be missing something with Pix NAT/PAT, anyone got a comment? > > The external interface of the Pix is located in a small /29 subnet (8 IPs). > Subtract net and broadcast adresses, one IP for the router, one for the > Pix interface, so there's 4 IP addresses left. Firewall owner wants 2 > external addresses statically translated to internal servers (say mail/www), > now 2 IPs left. Owner also wants about 50 internal hosts to access the > Internet via NAT. Pix software version is 6.0. > > Is the following statement true? "With a Pix, you can't reasonably NAT ~50 > internal hosts to only 2 registered external IP addresses." > > I expected to do n:1 translation as with Ipfilter or Linux masquerading. > Pix recommends to have a NAT address pool and additionally a single PAT > "overflow" address, and it bites if you don't follow that recommendation.
I have a PIX 515 with only PAT and I have no problems with it. PAT allows 65535 connections via a single IP, so if you want 50 internal users they could each use over 1000 ports concurrently before exhausting the PAT. I've never seen a user here use more than about 100 simultaneous ports (lots of browsers, email, and other stuff open) so you won't exhaust it with 50 users. > So, unless I'm really missing something, it looks like the Pix needs a > bunch of registered external IP addresses to operate correctly. Should > I recommend to register a 64-address range for a customer with ~50 internal > hosts, a few static translations, and some room for growth? I can't > believe that the minimum requirement for deploying a Pix is having a wide > range of registered IP addresses. There is probably something else going wrong with your setup. I've used my PIX 515 with OS 4.4(7) and 5.3(1) with only a single PAT address and no NAT pool and have zero problems. If you send over your config (with any private info stripped of course!) I might have time to take a quick look over it and see if I can spot anything that might cause the problems you're seeing. Dan --- D.C. Crichton email: [EMAIL PROTECTED] Senior Systems Analyst tel: +44 (0)121 706 6000 Computer Manuals Ltd. fax: +44 (0)121 606 0477 Computer book info on the web: http://computer-manuals.co.uk/ Want to earn money? Join our affiliate network! http://computer-manuals.co.uk/affiliate/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
