Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP

Reply
Thread Tools

FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP

 
 
Hoffa
Guest
Posts: n/a
 
      10-25-2006
Greetings all

I was just woundering one thing while configuring a new PAT setup in
our FWSM. You have the option of using an IP range, a single IP or the
IP of the "external" interface as GLOBAL address for the PAT.
I've searched some of the guides regarding this subject but haven't
really seen any recommendation when to use the different methods other
than the possible shortage of ports when using single IP and large
number of computers.

Does anyone have any experience in using the different methods and have
any recommendations? Is there a disadvantage when using GLOBAL
interface instead of GLOBAL IP for example?

Regards
Fredrik Hofren

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-25-2006
In article <(E-Mail Removed). com>,
Hoffa <(E-Mail Removed)> wrote:

>I was just woundering one thing while configuring a new PAT setup in
>our FWSM. You have the option of using an IP range, a single IP or the
>IP of the "external" interface as GLOBAL address for the PAT.


I believe earlier versions of the software would use the keyword
"interface" instead of the interface external IP itself.

>I've searched some of the guides regarding this subject but haven't
>really seen any recommendation when to use the different methods other
>than the possible shortage of ports when using single IP and large
>number of computers.


>Does anyone have any experience in using the different methods and have
>any recommendations? Is there a disadvantage when using GLOBAL
>interface instead of GLOBAL IP for example?


If you use a public IP then -somehow- traffic for that IP needs to
get to the FWSM (or PIX or ASA). The best way to do that is to have
the router route traffic for the public IP over to the interface IP.
In the case of PIX and ASA, "the router" might turn out to be the ISP's
router off-site and making the appropriate arrangements is sometimes
cumbersome (or expensive.) The PIX and ASA will proxy-arp for
IPs named in a 'global' statement, provided that proxy-arp has not
been disabled and provided that the IP has not been marked for NAT
exemption (nat 0 access-list in PIX 5/6; I thought I saw additional
mechanisms in PIX/ASA 7); but proxy-arp is often not entirely reliable.

PIX 5 did not have "static PAT" (port forwarding); PIX 6 port forwarding
for the interface IP has the restriction that telnet and one other
port (needed by PDM) may not be forwarded. There are unresolved questions
about what port forwarding for the interface IP would mean if
the port is one used for PPTP or LT2P or IPSec and those VPN
protocols are configured for termination on the outside interface.
There is no restrictions on the forwarding of ports for public IPs
that are not the interface IP.

If you are PAT'ing to an IP that has static PAT to allow inward
access to service (e.g., for a mail server) then there can sometimes
be logistical reverse DNS problems: for example, you might need
the IP to resolve to one name to satisfy your SMTP peers, but you
might need it to resolve to a different name to satisfy the SSL
certificate processing for web sites you host.

When you have an global address range specified, then each outgoing
host gets exclusive use of one entire IP for the transaction duration,
with no Port Address Translation. That can sometimes be critical for
use with protocols that interact badly with port translation.
The rule in PIX 5/6 is that if there is an available IP in a ranged global
{whose policy number matches the nat policy number} then the entire IP
is allocated, and that PAT (signaled by a global with a single IP)
is used (if configured) when the pool runs out. If only -some- of
the traffic from a host really needs one-to-one translation then
you either need a big pool of public IPs or else you need to start
using "policy nat". PIX/ASA/FWSM 7 might have additional mechanisms
for determining whether PAT or one-to-one NAT is used.

Beyond that... if you have multiple public IP ranges, then your choice
of public IPs can affect return packet routing, which can be important
sometimes.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP Hoffa Cisco 0 10-25-2006 01:04 PM
Static PAT overrides Dynamic Pat - Pix 515e BinSur Cisco 4 01-13-2006 09:44 AM
PIX 501 single outside interface and PAT for inbound connections??? Adisegna@gmail.com Cisco 4 10-29-2005 02:15 PM
Identity NAT/PAT, 2 interface, same major network - Walter Roberson, Cisco Guy Cisco 2 07-23-2005 01:32 AM
Scene range vs dynamic range Robert Feinman Digital Photography 2 07-04-2005 09:30 PM



Advertisments