Re: Cisco PIX many-to-many NAT problem

Discussion in 'Cisco' started by Fredy Kuenzler, Jul 15, 2004.

  1. Fredy Kuenzler wrote:
    >> I did some work on a Cisco Pix, and we ran into an issue where if
    >> we did a many to many, once the external ip block filled up, it
    >> would fail to translate any further.

    >
    > I have exactly the same phenomenon.


    For the record: I finally found a workaround, using a Cisco router
    instead of the PIX. I used a 2621, any Cisco router with dual
    ethernet interface should do the job.

    Sample config (anonymized address):

    !
    interface FastEthernet0/0
    ip address 1.2.3.130 255.255.255.128
    ip nat outside
    !
    interface FastEthernet0/1
    ip address 192.168.4.1 255.255.252.0
    ip nat inside
    !
    ip nat translation timeout 600
    ip nat pool DYN 1.2.3.131 1.2.3.254 netmask 255.255.255.128
    ip nat inside source list 1 pool DYN
    ip route 0.0.0.0 0.0.0.0 1.2.3.129
    !
    access-list 1 permit 192.168.4.0 0.0.3.255
    !


    Maybe this sample config is useful for someone.

    F.
     
    Fredy Kuenzler, Jul 15, 2004
    #1
    1. Advertising

  2. Fredy Kuenzler

    Kevin Widner Guest

    Fredy Kuenzler <> wrote in message news:<cd6lje$t6$7.net>...
    > Fredy Kuenzler wrote:
    > >> I did some work on a Cisco Pix, and we ran into an issue where if
    > >> we did a many to many, once the external ip block filled up, it
    > >> would fail to translate any further.

    > >
    > > I have exactly the same phenomenon.

    >
    > For the record: I finally found a workaround, using a Cisco router
    > instead of the PIX. I used a 2621, any Cisco router with dual
    > ethernet interface should do the job.
    >
    > Sample config (anonymized address):
    >
    > !
    > interface FastEthernet0/0
    > ip address 1.2.3.130 255.255.255.128
    > ip nat outside
    > !
    > interface FastEthernet0/1
    > ip address 192.168.4.1 255.255.252.0
    > ip nat inside
    > !
    > ip nat translation timeout 600
    > ip nat pool DYN 1.2.3.131 1.2.3.254 netmask 255.255.255.128
    > ip nat inside source list 1 pool DYN
    > ip route 0.0.0.0 0.0.0.0 1.2.3.129
    > !
    > access-list 1 permit 192.168.4.0 0.0.3.255
    > !
    >
    >
    > Maybe this sample config is useful for someone.
    >
    > F.



    Unless I am missing something here, the only thing you would have had
    to do on the PIX was add the command - timeout xlate 10:00, thus
    achieving the same thing as your command "ip nat translation timeout
    600".

    The default timeout value for translations on a PIX is 3 hours I
    think.
    timeout [xlate hh[:mm[:ss]]]

    Kevin
     
    Kevin Widner, Jul 16, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fredy Kuenzler

    Cisco PIX many-to-many NAT problem

    Fredy Kuenzler, Jun 9, 2004, in forum: Cisco
    Replies:
    4
    Views:
    2,784
    Walter Roberson
    Jun 15, 2004
  2. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,951
    Walter Roberson
    Aug 13, 2004
  3. Jose
    Replies:
    3
    Views:
    2,000
  4. Matthew Melbourne
    Replies:
    2
    Views:
    7,433
    Matthew Melbourne
    Feb 12, 2005
  5. skweetis
    Replies:
    0
    Views:
    1,241
    skweetis
    Dec 11, 2006
Loading...

Share This Page