Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP readdressing: good practice

Status
Not open for further replies.
sghezzi

sghezzi

Technical User
Apr 7, 2003
56
DE
Hello,

our internal network runs on private addresses.
We have a range of 4 usable public IP address to be use for NAT of outgoing traffic.
We then have an internal ftp server that needs to be accessible from outside.

I used the following configuration:
- global (outside) 1 a.b.c.155-a.b.c.157 netmask 255.255.255.248
- static (inside,outside) a.b.c.158 10.0.4.30 netmask 255.255.255.255 0 0

Is this the best way to use this range of global addresses?

I have read that a better solution to increase the range would be to use PAT, but how can I use PAT with our situation?
can someone give me a hint?

Thanks a lot
Silvia
 
Sort by date Sort by votes
Let's break this down into a couple of sections:

1) To use PAT for your outgoing access, do the following:
- Leave your NAT statement as is
- Change your global statement so that all outgoing traffic uses the IP of your PIX outside interface. Here are the commands:
no global (outside) 1 a.b.c.155-a.b.c.157 netmask 255.255.255.248
global (outside) 1 interface
clear xlate (this command will cause a temporary blip in your connections as it clears the existing active NAT translations).

2) For you inbound FTP traffic, you could use port redirection with that same outside interface IP, or dedicate one of your other IPs just for the FTP server (as you do now). My recommendation would be to leave it as it is, just to make the config a little simpler.

If you made the switch on number one, you would some IPs to play with in the future.
 
Upvote 0 Downvote
Thank,

actually I was wondering if we can use PAT together with the global command to a smaller range of public IPs.
Like reducing the range of global address to 2 instead of 3 and then using PAT with the 3rd available IP.

Do you think it is possible?

Shall PAT increase PIX performance instead of only using global to a range of IPs?

thanks
Silvia
 
Upvote 0 Downvote
HI.

> Do you think it is possible?
It is possible, but now wise.

As "tbissett" wrote, it is best to use PAT only, and not the NAT/PAT combination.
This is because the NAT/PAT combination makes administration and management of the pix more difficult.
Because you can not anticipate when and whom will get a NAT address versus the PAT.

Using PAT only will help you reserve few addresses for future use and needs.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
774
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
579
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
641
Johnkite
Johnkite
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
178
Russtoleum
Russtoleum
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
166
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top