From: Tony Medeiros (tonygreat@xxxxxxxx)
Date: Mon Aug 28 2000 - 03:10:15 GMT-3
Title: Pix PAT addresses
I believe the last used address in both of your global pools will be
PAT'ed anyway when all the addresses in the pools are used up. So you
Idea should work fine.
Tony
----- Original Message -----
From: Price, Jamie
To: ccielab@groupstudy.com
Sent: Sunday, August 27, 2000 10:32 PM
Subject: Pix PAT addresses
Hi Guys,
I've got a scenario where 2 companies are using 1 Pix for inet
access. One, subnet A, enters the Pix on interface 1, the other,
subnet B, enters the Pix on Interface 2 - or the "DMZ". Obviously
they are sharing the same public IP block. This is a /27 range.
For address allocation, this block has been split down the middle -
each company recieving 15 addresses. Each company then sacrifices
one address each for the upstream router and outside Pix address,
leaving them with 14 each.
I wanted to segment traffic outbound from the Pix so that should
bandwidth consumption become an issue then each company would each
be ensured 50% bandwidth on the Inet connection. My thoughts were
that at the upstream router I could utilize custom queueing to
ensure this by creating access lists with a /28 mask i.e. access
list 100 identifying the first 16 addresses in the block of 32,
access list 101 identifying the next 16, then apply those lists to
the queues (say queue 1 at 3000 bytes, queue 2 at 3000 bytes and
the default queue at 1500) my theory being that if each subnet has
its own queue then a third default queue would effectively always
be empty (but still there to catch any possible oversights) and
therefore traffic could be evenly distributed. I realize that all
broadcasts and traffic bound for the Pix interface would be the
burden of the company that had that address in its range, but that
traffic is minimal and an accepted overhead.
However I was under the mistaken assumption that I would be able to
configure more than one PAT address on the outside interface. My
intentions were to assign PAT address 1 - i.e. global (outside) 1
x.x.x.1-x.x.x.1 - to subnet A and PAT address 2 - i.e. global
(outside) 2 x.x.x.16-x.x.x.16 - to subnet B - and then match the
appropriate nat-id's to the global commands.
You cant assign more than one PAT address to an interface - the Pix
clearly tells you one is already created and simply doesnt add the
new. Quite obviously if both inside interfaces have to utilize one
PAT address then the whole equal distribution plan goes out the
window.
Can anyone think of a config workaround to assigning multiple
Global PAT addresses to the outside interface of a Pix - or an
alternative way to achieving the goal?
Also any thoughts on this whole theory that I had on equal
distribution (for example - if it would even work) would also be
greatly appreciated.
Thanks
Jamie
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:31 GMT-3