A question of PAT

[pglevelle]

I am confused on how to configure port address translation. The example in the Cisco book pg 90(6-3) shows the following lines...

ip address (inside) 10.0.0.1 255.255.255.0
ip address (outside) 192.168.0.2 255.255.255.0
route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
global (outside) 1 192.168.0.15 netmask 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0

Given that PAT translates ALL inside addresses to a single outside, then why is the global statement pointing to 192.168.0.15 and not 192.168.0.2 (outside PIX address)?

In my case with a PIX 501, I have the public address directly on the outside interface of the firewall. This outside interface is attached to a DSL modem across frame relay to the ISP.

Can someone untangle my confusion over PAT?

 

[ChrisAC]

PAT translates all inside addresses to a single global routeable IP address, but it doesn't have to be the address of the outside interface. It can be any routeable address in the given range!

In the example shown, they've just picked an address out of the available pool to show that it can be used for PAT. However, you can use the address of the outside interface using the command ..

nat (global) 1 interface

I always use the outside address as it saves on IP addresses. But, you can use another address if you want, as per the example!

Chris.

:

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[yizhar]

HI.

The syntax is

global 1 interface

I prefer using an alternate address if available, but if you have only a single registered address then that is the way to go.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[pglevelle]

Thanks for the comments on PAT configuration. I understand now.

I have the PIX 501 installed but not able to connect to the web server from external nor receive email...sending is ok.

Tried to use ACL which worked for web access but is not supported by PDM. So I removed commands....

access-list acl_out permit tcp host public_ip_address eq www
access-group acl_out in interface outside

I next tried to created the conduit commands for www, pop3, smtp and 443 using tcp to the public address. PDM now works but external web access and receiving email does not.

conduit permit tcp any eq

http://www host

public_ip_address

Suggestions?

 

[ChrisAC]

Yizhar,

Yeah, I got the syntax wrong! I'm still getting over a hangover from Saturday night. B-(

Actually, I think it's "global (outside) 1 interface".
I don't know where my other one came from!!

Pglevelle,

I think that the conduit statement is wrong! With an ACL the first IP entry is for the source address and the second is the destination, like:

access-list web_in permit tcp any host <web_server> eq www

So, it goes anywhere can go to the web server on port 80.

But, with the conduit command it flips it the other way. So, the host goes first followed by the source, like:

conduit permit tcp host <web_server> eq www any

This is, allow tcp to the host web_server on port 80 from anywhere.

Also, make sure that you've got a static NAT entry for the host that you're allowing access to.

Good luck.

Chris.

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************