Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need advice on PIX 4.0.6 reconfigure from NAT to PAT 1

Status
Not open for further replies.
zephyran

zephyran

Technical User
Nov 30, 2001
311
US
We're using a PIX 4.0.6 firewall to connect our LAN (Windows NT 4) to the Internet. We've run out of external addresses for NAT, and we will therefore be moving to PAT.

I have worked out a set of steps to do the configuration quickly so there will be the least possible downtime. Since I'm new to configuring PIX firewalls, could anyone who sees any difficulties with this procedure please let me know?

1. Back up the current configuration (using NAT) to floppy:
write floppy

2. Remove the global addresses and add the PAT address using these commands:
no global
global global 1 x.x.x.x (where x.x.x.x is our single external address for PAT)

3. Confirm the global address configuration:
show global

4. Back up the new configuration to a new floppy:
write floppy

5. Ensure all machines can access the Internet without difficulty.

6. If all is well, back up the configuration to the flash memory:
write memory

7. If any problems arise, revert back to NAT configuration:
With the first floppy in the drive:

no global (to remove global address conflict)
configure floppy (to restore global addresses)

If the flash was written with the PAT configuration, replace it with the new config:
write memory

Does this set of steps look ok? I've gotten this all straight from our manual, but I wanted to get expert opinions before I do it. Thanks all!
 
Sort by date Sort by votes
HI.

* In addition to your floppy backup, I recommend that you issue the "show config" command, then copy & paste it to a text file, then save and/or print it.

* After changing "global" and other related configuration options, you should issue the command
"clear xlate"
or "reload" the pix.

* Version 4.0.6 is very old, have you considered upgrading?

* You can consider another option, which is a combination of PAT and NAT. for example if your registered addresses for use are (not including pix interface and static mappings):
111.111.111.10 - 111.111.111.20
then you can use these commands:
global 1 111.111.111.11-111.111.111.20
global 1 111.111.111.10

* If any of your clients is using a VPN to a different site from his workstation, it will probably fail with PAT.
Some multimedia (streming audio/video) programs might also have problems with PAT.
PIX is supposed to support most multimedia protocols bu you should check this.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Ok, I have a few questions:

1. I agree that our version of the software is pretty old, but I don't know how high a software version our hardware can handle. How can I find the hardware model number, and the newest version of the software it can handle? I couldn't find any labels on the machine that give any useful information as to the model number.

2. We are not using VPN, nor do we have any plans to (we are a library, and mostly serve the public with Internet access). However, we have been looking into hosting streaming audio/video that is viewable with RealPlayer (the server would have a static IP). Do you know if RealPlayer streaming audio/video will work with PAT?


3. The command "clear xlate" is not in our manual. What exactly does it do?

Thanks for you help. I hadn't considered using a mixture of NAT and PAT. Thanks again!
 
Upvote 0 Downvote
One more thing i just thought of...
In the combined NAT/PAT scenario you put down, would clients be served first by NAT and then PAT, or would they get PAT first? If it's not the default, how could it be set to use NAT first?
 
Upvote 0 Downvote
WildMagpie8,

v4.0(6). Wow. That is old! Chances are your hardware is either:

- a PIX Classic
- a PIX 510, or
- an early PIX 520 (Rev. A)

Quick question: Does your PIX have a door with a key lock on the front (inside the door is the power switch and a 3.5 disk drive) and all the network connections are on the back? [The Classic, and 510 both use the locking front door.]

Next question: Does the front faceplate of the PIX have integrated rack mounts (by that I mean does the front face extend past the side of the box by about 2 inches)? [This is a classic.]

If both of these are a "No", then you probably have an early 520.

Do you have a maintenance contract? If so you can probably run v4.4(9) that is out there on CCO.

Regarding NAT and PAT you should check the docs and look for NAT Overload. You can set up your PIX to use NAT until the address range is used up and then use the last NAT IP address for PAT.

Liberty for All,

Brian
 
Upvote 0 Downvote
WildMagpie8,

v4.0(6). Wow. That is old! Chances are your hardware is either:

- a PIX Classic
- a PIX 510, or
- an early PIX 520 (Rev. A)

Quick question: Does your PIX have a door with a key lock on the front (inside the door is the power switch and a 3.5 disk drive) and all the network connections are on the back? [The Classic, and 510 both use the locking front door.]

Next question: Does the front faceplate of the PIX have integrated rack mounts (by that I mean does the front face extend past the side of the box by about 2 inches)? [This is a classic.]

If both of these are a "No", then you probably have an early 520.

Do you have a maintenance contract? If so you can probably run v4.4(9) that is out there on CCO.

Regarding NAT and PAT you should check the docs and look for NAT Overload. You can set up your PIX to use NAT until the address range is used up and then use the last NAT IP address for PAT.

Liberty for All,

Brian
 
Upvote 0 Downvote
HI.

About streaming audio/video, PAT will be no problem because your server will have a STATIC ip address.

It can depend on your software version.
Type this command
"show fixup"
and also check your manuals to learn which multimedia protocols are supported by your pix.
Have you visited here -

The clear xlate command clears the translation table.
You can "reload" the pix instead to force your new configuration (after saving it) and clear current connections.

The NAT/PAT combination should work, but you should use the lower ip address for the pat and the higher addresses for NAT.
This is because the pix starts using addresses from high to low.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks yizhar! That's exactly what I needed!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
802
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
663
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
722
intel233
intel233
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
199
PauS0n
PauS0n
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
254
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top