Pix PAT addresses

From: Price, Jamie (jprice@xxxxxxxxxxx)
Date: Mon Aug 28 2000 - 02:32:30 GMT-3

• Next message: Tony Medeiros: "Re: Pix PAT addresses"
• Previous message: Bert Kellerman: "Re: Ping test"
• Next in thread: Tony Medeiros: "Re: Pix PAT addresses"
• Maybe reply: Tony Medeiros: "Re: Pix PAT addresses"
• Maybe reply: Scott Morris: "RE: Pix PAT addresses"
• Maybe reply: Sam Munzani: "Re: Pix PAT addresses"
• Maybe reply: Richard Mott: "Re: Pix PAT addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
   
    Title: Pix PAT addresses
    
   Hi Guys,
   
   I've got a scenario where 2 companies are using 1 Pix for inet
   access. One, subnet A, enters the Pix on interface 1, the other,
   subnet B, enters the Pix on Interface 2 - or the "DMZ". Obviously
   they are sharing the same public IP block. This is a /27 range. For
   address allocation, this block has been split down the middle - each
   company recieving 15 addresses. Each company then sacrifices one
   address each for the upstream router and outside Pix address, leaving
   them with 14 each.
   
   I wanted to segment traffic outbound from the Pix so that should
   bandwidth consumption become an issue then each company would each be
   ensured 50% bandwidth on the Inet connection. My thoughts were that
   at the upstream router I could utilize custom queueing to ensure this
   by creating access lists with a /28 mask i.e. access list 100
   identifying the first 16 addresses in the block of 32, access list 101
   identifying the next 16, then apply those lists to the queues (say
   queue 1 at 3000 bytes, queue 2 at 3000 bytes and the default queue at
   1500) my theory being that if each subnet has its own queue then a
   third default queue would effectively always be empty (but still there
   to catch any possible oversights) and therefore traffic could be
   evenly distributed. I realize that all broadcasts and traffic bound
   for the Pix interface would be the burden of the company that had that
   address in its range, but that traffic is minimal and an accepted
   overhead.
   
   However I was under the mistaken assumption that I would be able to
   configure more than one PAT address on the outside interface. My
   intentions were to assign PAT address 1 - i.e. global (outside) 1
   x.x.x.1-x.x.x.1 - to subnet A and PAT address 2 - i.e. global
   (outside) 2 x.x.x.16-x.x.x.16 - to subnet B - and then match the
   appropriate nat-id's to the global commands.
   
   You cant assign more than one PAT address to an interface - the Pix
   clearly tells you one is already created and simply doesnt add the
   new. Quite obviously if both inside interfaces have to utilize one
   PAT address then the whole equal distribution plan goes out the
   window.
   
   Can anyone think of a config workaround to assigning multiple Global
   PAT addresses to the outside interface of a Pix - or an alternative
   way to achieving the goal?
   
   Also any thoughts on this whole theory that I had on equal
   distribution (for example - if it would even work) would also be
   greatly appreciated.
   
   Thanks
   
   Jamie

• Next message: Tony Medeiros: "Re: Pix PAT addresses"
• Previous message: Bert Kellerman: "Re: Ping test"
• Next in thread: Tony Medeiros: "Re: Pix PAT addresses"
• Maybe reply: Tony Medeiros: "Re: Pix PAT addresses"
• Maybe reply: Scott Morris: "RE: Pix PAT addresses"
• Maybe reply: Sam Munzani: "Re: Pix PAT addresses"
• Maybe reply: Richard Mott: "Re: Pix PAT addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:31 GMT-3