Cisco PIX many-to-many NAT problem

Discussion in 'Cisco' started by Fredy Kuenzler, Jun 9, 2004.

  1. I hope this is the right place for such a problem.

    Apparently the problem occured elsewhere too, however I did not find out
    whether this is a bug or a feature.

    http://groups.google.ch/groups?hl=d...r=&ie=UTF-8&q=pix+many-to-many+nat&btnG=Suche
    > I did some work on a Cisco Pix, and we ran into an issue where if we
    > did a many to many, once the external ip block filled up, it would
    > fail to translate any further.


    I have exactly the same phenomenon.

    Out of my config:

    pix# sh run
    : Saved
    :
    : [...]
    global (outside) 20 1.2.3.136-1.2.3.254 netmask 255.255.255.128
    :

    (anonymized)

    Any hint?

    Thanks,
    Fredy
    Fredy Kuenzler, Jun 9, 2004
    #1
    1. Advertising

  2. In article <ca845b$9qm$7.net>,
    Fredy Kuenzler <> wrote:
    :Apparently the problem occured elsewhere too, however I did not find out
    :whether this is a bug or a feature.

    :http://groups.google.ch/groups?hl=d...r=&ie=UTF-8&q=pix+many-to-many+nat&btnG=Suche
    :> I did some work on a Cisco Pix, and we ran into an issue where if we
    :> did a many to many, once the external ip block filled up, it would
    :> fail to translate any further.

    :I have exactly the same phenomenon.

    :Out of my config:

    :pix# sh run
    :global (outside) 20 1.2.3.136-1.2.3.254 netmask 255.255.255.128

    :Any hint?

    I'm not entirely clear on what the question is.

    The 'global' command has two forms. In the form you show above, each
    distinct system that wishes to go out will be allocated an IP from
    the given range, and ports will NOT be translated in going out:
    the inner host gets the use of -all- of that IP.

    The other form of 'global' has only a single address instead of a range.
    Port address translation is done on that single address.

    If you use both forms of 'global' together in the same configuration,
    then when an internal system wishes to go out, it will try to get
    an external address from the range, and will only use the PAT if the
    range is exhausted.

    When you have a 'global' with an IP range, it is definitely NOT the
    case that the first address will be PAT'd until you have 64K active
    ports, then the second address will be moved on to, and so on. It doesn't
    work that way. If you fill up the entire 64K ports on a PAT, you run
    out of connections and cannot open new ones until some close down.
    --
    Take care in opening this message: My grasp on reality may have shaken
    loose during transmission!
    Walter Roberson, Jun 10, 2004
    #2
    1. Advertising

  3. Fredy Kuenzler

    paul blitz Guest


    > If you use both forms of 'global' together in the same configuration,
    > then when an internal system wishes to go out, it will try to get
    > an external address from the range, and will only use the PAT if the
    > range is exhausted.
    >
    > When you have a 'global' with an IP range, it is definitely NOT the
    > case that the first address will be PAT'd until you have 64K active
    > ports, then the second address will be moved on to, and so on. It doesn't
    > work that way. If you fill up the entire 64K ports on a PAT, you run
    > out of connections and cannot open new ones until some close down.


    That's exactly what we have:

    global (outside) 1 194.xxx.xxx.101-194.xxx.xxx.120
    global (outside) 1 194.xxx.xxx.121

    - so the first 20 hosts making outgoing connections (ie hosts that do not
    have a STATIC address mapping) will use the .101 to .120 addresses... This
    is NAT.. so these 20 hosts use the external address on a unique basis, and
    the source ports do NOT change (think of this as a "changing static
    mapping").

    - when those 20 hosts have used up the 20 addresses, everone else uses PAT
    on the .121 addresses... so not only are they SHARING the address, the
    source ports will be changed.

    You CAN just have a PAT mapping, so everyone (who doesn't have a static
    mapping) uses the one IP address.



    Paul
    paul blitz, Jun 10, 2004
    #3
  4. paul blitz wrote:
    > That's exactly what we have:
    >
    > global (outside) 1 194.xxx.xxx.101-194.xxx.xxx.120
    > global (outside) 1 194.xxx.xxx.121
    >
    > - so the first 20 hosts making outgoing connections (ie hosts that do
    > not have a STATIC address mapping) will use the .101 to .120
    > addresses... This is NAT.. so these 20 hosts use the external address
    > on a unique basis, and the source ports do NOT change (think of this
    > as a "changing static mapping").
    >
    > - when those 20 hosts have used up the 20 addresses, everone else
    > uses PAT on the .121 addresses... so not only are they SHARING the
    > address, the source ports will be changed.
    >
    > You CAN just have a PAT mapping, so everyone (who doesn't have a
    > static mapping) uses the one IP address.


    Yep, this works. Thanks. Unfortunately it does not really help, as we do
    a WLAN authentication based on NATed IP addresses. As soon as the last
    PATed IP address is authenticated, any following user can use the access
    for free :-(

    Some further investigation (thanks Rolf):

    show xlate Display current translation and connection slot information
    show conn Display connection information

    we could, as a temporary workaround, do

    clear xlate

    every night. But it's rather a hack, right?

    I guess we have to evaluate another firewall :-( still, hopefully the
    info above is usful for someone in the future.

    F.
    Fredy Kuenzler, Jun 12, 2004
    #4
  5. In article <cafrlk$r72$7.net>,
    Fredy Kuenzler <> wrote:
    :Yep, this works. Thanks. Unfortunately it does not really help, as we do
    :a WLAN authentication based on NATed IP addresses. As soon as the last
    :pATed IP address is authenticated, any following user can use the access
    :for free :-(

    Could you re-state the problem? What behaviour are you seeing, and
    what behaviour were you hoping to achieve?

    If you don't want the following users to be able to access the WLAN
    "for free" as you put it, then just don't put in a global statement
    with a single IP address. If all you have is a global statement
    with an IP range, then when the IP range is exhausted, subsequent
    outgoing connections will be refused until an IP becomes free.

    If you have more simultaneous users than you have available static IPs,
    how had you hoped to deal with the issue?
    --
    I've been working on a kernel
    All the livelong night.
    I've been working on a kernel
    And it still won't work quite right. -- J. Benson & J. Doll
    Walter Roberson, Jun 15, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fredy Kuenzler

    Re: Cisco PIX many-to-many NAT problem

    Fredy Kuenzler, Jul 15, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,982
    Kevin Widner
    Jul 16, 2004
  2. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,704
    Walter Roberson
    Aug 13, 2004
  3. Jose
    Replies:
    3
    Views:
    1,910
  4. Matthew Melbourne
    Replies:
    2
    Views:
    7,289
    Matthew Melbourne
    Feb 12, 2005
  5. skweetis
    Replies:
    0
    Views:
    1,159
    skweetis
    Dec 11, 2006
Loading...

Share This Page