# of ip's needed for NAT of small office

[marhoul]

I have been allocated a /29 (14 routable addresses) ip range by my ISP. We will only use about 7 for dsl router, pix, exchange etc.

Should I use the other 7 for doing NAT as opposed to PAT?

What happens if all the NAT addresses are used and a new user wants a connection? Does it fall back to PAT on one of the IP's?

We will only have about 15 users behind this firewall.

Thanks,

Mark

 

[brontosaurus]

Hi, You could do both, but I'd go with PAT by itself, you never know if you'll need the other IP's. If you did both, then yes, after the NAT address pool is used, PAT would start up. Then, if/when a NAT address was freed, it would be next on the list again. Also, be advised that PAT is good for TCP, UDP, and ICMP, so if you have a need to pass other traffic out, like GRE, it could cause problems.

 

[yizhar]

HI.

I agree with the previous post.

I would go with PAT, because:
It supports most users needs.
It is a bit more secure then NAT.
It is easier to manage and troubleshoot (if there is a problem only with specific IP, it will affect different user in different time).

However, if needed use NAT, for example if the users need to VPN via the pix to an external VPN server, NAT will work better for that.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[baddos]

Remeber if you use NAT only though, only the number of IPs given to the NAT pool is the number of host that can use the connection concurrently. I.E. If you have 5 NAT'd IP addresses, then only 5 concurrent users can on the Internet from your PIX.

-Bad Dos