Per-user NAT IP address assignment in PIX. Please help!!

Discussion in 'Cisco' started by Antonio Arias, Jun 13, 2004.

  1. Hello all,

    I need to perform a per-user NAT translation and can't figure out if
    this can be accomplished with PIX and ACS :

    When an authenticated user gets access to my inside network, I need to
    perform NAT to assign each one an specified IP address, maybe storing
    the address in each user or group profile in ACS.

    This is because of requirements of a web application inside the
    firewall, which performs authentication based on IP -no way to change
    this app.

    Any suggestions, on whether this can be accomplished or definitely
    not, would be very appreciated.

    Thanks a lot.

    A. Arias.
     
    Antonio Arias, Jun 13, 2004
    #1
    1. Advertising

  2. Hi Antonio,

    I don't believe NAT alone is going to do what you need, other than provide a
    mechanism for a translation from an outside address to an inside address.

    However, you might look into 802.1x Authentication as it provides some
    per-user dynamic ACL capabilities. The documentation indicates 802.1x can
    pass per user information such as an IP address from a Radius server, which
    can be dynamically assigned to create an ACL on a multi-layer switch.

    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/sw8021x.htm#wp1096673

    Once assigned, I'm wondering if an ACL such as this can be used somehow with
    NAT or DHCP to provide a pre-assigned or re-assigned inside network address
    to an authenticated user.

    This is an attempt at brain storming however and may not bear much
    resemblance to the real world. But it might make a good research item for
    yours or similar projects.

    FWIW,
    Bob

    "Antonio Arias" <> wrote in message
    news:...
    > Hello all,
    >
    > I need to perform a per-user NAT translation and can't figure out if
    > this can be accomplished with PIX and ACS :
    >
    > When an authenticated user gets access to my inside network, I need to
    > perform NAT to assign each one an specified IP address, maybe storing
    > the address in each user or group profile in ACS.
    >
    > This is because of requirements of a web application inside the
    > firewall, which performs authentication based on IP -no way to change
    > this app.
    >
    > Any suggestions, on whether this can be accomplished or definitely
    > not, would be very appreciated.
    >
    > Thanks a lot.
    >
    > A. Arias.
     
    Bob by The Bay, Jun 13, 2004
    #2
    1. Advertising

  3. Bob,

    Thank you for your suggestions, i'll have a look at 802.1x, although
    I'm afraid it isn't supported by PIX yet, only switches / WLANs.

    Guess we will have to develop st using ipchains / apache.


    "Bob by The Bay" <> wrote in message news:<v02zc.27387$eu.10251@attbi_s02>...
    > Hi Antonio,
    >
    > I don't believe NAT alone is going to do what you need, other than provide a
    > mechanism for a translation from an outside address to an inside address.
    >
    > However, you might look into 802.1x Authentication as it provides some
    > per-user dynamic ACL capabilities. The documentation indicates 802.1x can
    > pass per user information such as an IP address from a Radius server, which
    > can be dynamically assigned to create an ACL on a multi-layer switch.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/sw8021x.htm#wp1096673
    >
    > Once assigned, I'm wondering if an ACL such as this can be used somehow with
    > NAT or DHCP to provide a pre-assigned or re-assigned inside network address
    > to an authenticated user.
    >
    > This is an attempt at brain storming however and may not bear much
    > resemblance to the real world. But it might make a good research item for
    > yours or similar projects.
    >
    > FWIW,
    > Bob
    >
    > "Antonio Arias" <> wrote in message
    > news:...
    > > Hello all,
    > >
    > > I need to perform a per-user NAT translation and can't figure out if
    > > this can be accomplished with PIX and ACS :
    > >
    > > When an authenticated user gets access to my inside network, I need to
    > > perform NAT to assign each one an specified IP address, maybe storing
    > > the address in each user or group profile in ACS.
    > >
    > > This is because of requirements of a web application inside the
    > > firewall, which performs authentication based on IP -no way to change
    > > this app.
    > >
    > > Any suggestions, on whether this can be accomplished or definitely
    > > not, would be very appreciated.
    > >
    > > Thanks a lot.
    > >
    > > A. Arias.
     
    Antonio Arias, Jun 15, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Albert
    Replies:
    1
    Views:
    4,047
    Rod Dorman
    Feb 8, 2005
  2. Sallu
    Replies:
    0
    Views:
    378
    Sallu
    Jan 3, 2006
  3. robin
    Replies:
    4
    Views:
    5,443
    Frank Schwieterman [MSFT]
    Feb 18, 2006
  4. Guest

    IP Address Block Assignment

    Guest, Feb 1, 2006, in forum: Cisco
    Replies:
    3
    Views:
    3,572
    stephen
    Feb 1, 2006
  5. answers
    Replies:
    1
    Views:
    427
    K.J. 44
    Sep 12, 2006
Loading...

Share This Page