Re: Pix PAT addresses

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Mon Aug 28 2000 - 13:53:52 GMT-3

• Next message: Christopher Van Heuveln: "Re: what can't ospf summary-address command do ?"
• Previous message: Sam Munzani: "How to override escape sequence of one access server"
• Maybe in reply to: Price, Jamie: "Pix PAT addresses"
• Next in thread: Richard Mott: "Re: Pix PAT addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
   
    Title: Pix PAT addresses
    
   Other option is to use 2 addresses for global PAT. Something like
   below.
   For Example,
   Out 2 legal IP Addresses: 12.12.12.1/24, 12.12.12.2/24
   Our 2 Illegal Segments: 192.168.100.0/24, 192.168.200.0/24
   
   global (outside) 1 12.12.12.1 netmask 255.255.255.0
   global (outside) 2 12.12.12.2 netmask 255.255.255.0
   nat (inside) 1 192.168.100.0 netmask 255.255.255.0
   nat (inside) 2 192.168.200.0 netmask 255.255.255.0
   
   This will do 2 different PAT for 2 different segments.
   
   About adjusting 50% for each segment,
   PIX is made to be a security device not a load balancer. You will be
   better off leaving that as a security device only. Otherwise you will
   end up slowing it down.
   
   Sam
   
   ----- Original Message -----
   
   From: Scott Morris
   
   To: 'Price, Jamie'
   
   Cc: ccielab@groupstudy.com
   
   Sent: Monday, August 28, 2000 5:34 AM
   
   Subject: RE: Pix PAT addresses
   
   Well.... There's no "great" way to load balance it well. You can
   only have one PAT pool, as you're finding out.
   
   
   
   Now, on the other hand, you can specify two separate pools for your
   global, and just have a really short xlate timeout value, so those
   pools gete re-used for connections quickly. but that's not pretty
   with the small number of IPs that you have (not sure how many static's
   your doing).
   
   
   
   The other thing to think about is that you could do PAT on each of the
   company's routers, and then just do a static for those two IPs used
   (NAT0?) on the PIX. So while the PIX is maintaining a connection
   table, and monitoring the ports, the other routers are actually
   handling the NAT or PAT in this instance.
   
   
   
   Just a thought for you, it'll distribute the workload at that point,
   and accomplish what you want.
   
   
   
   Hope that helps!
   
   
   
   Scott
   
   -----Original Message-----
   From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
   Price, Jamie
   Sent: Monday, August 28, 2000 1:33 AM
   To: ccielab@groupstudy.com
   Subject: Pix PAT addresses
   
     Hi Guys,
     
     I've got a scenario where 2 companies are using 1 Pix for inet
     access. One, subnet A, enters the Pix on interface 1, the other,
     subnet B, enters the Pix on Interface 2 - or the "DMZ". Obviously
     they are sharing the same public IP block. This is a /27 range.
     For address allocation, this block has been split down the middle -
     each company recieving 15 addresses. Each company then sacrifices
     one address each for the upstream router and outside Pix address,
     leaving them with 14 each.
     
     I wanted to segment traffic outbound from the Pix so that should
     bandwidth consumption become an issue then each company would each
     be ensured 50% bandwidth on the Inet connection. My thoughts were
     that at the upstream router I could utilize custom queueing to
     ensure this by creating access lists with a /28 mask i.e. access
     list 100 identifying the first 16 addresses in the block of 32,
     access list 101 identifying the next 16, then apply those lists to
     the queues (say queue 1 at 3000 bytes, queue 2 at 3000 bytes and
     the default queue at 1500) my theory being that if each subnet has
     its own queue then a third default queue would effectively always
     be empty (but still there to catch any possible oversights) and
     therefore traffic could be evenly distributed. I realize that all
     broadcasts and traffic bound for the Pix interface would be the
     burden of the company that had that address in its range, but that
     traffic is minimal and an accepted overhead.
     
     However I was under the mistaken assumption that I would be able to
     configure more than one PAT address on the outside interface. My
     intentions were to assign PAT address 1 - i.e. global (outside) 1
     x.x.x.1-x.x.x.1 - to subnet A and PAT address 2 - i.e. global
     (outside) 2 x.x.x.16-x.x.x.16 - to subnet B - and then match the
     appropriate nat-id's to the global commands.
     
     You cant assign more than one PAT address to an interface - the Pix
     clearly tells you one is already created and simply doesnt add the
     new. Quite obviously if both inside interfaces have to utilize one
     PAT address then the whole equal distribution plan goes out the
     window.
     
     Can anyone think of a config workaround to assigning multiple
     Global PAT addresses to the outside interface of a Pix - or an
     alternative way to achieving the goal?
     
     Also any thoughts on this whole theory that I had on equal
     distribution (for example - if it would even work) would also be
     greatly appreciated.
     
     Thanks
     
     Jamie

• Next message: Christopher Van Heuveln: "Re: what can't ospf summary-address command do ?"
• Previous message: Sam Munzani: "How to override escape sequence of one access server"
• Maybe in reply to: Price, Jamie: "Pix PAT addresses"
• Next in thread: Richard Mott: "Re: Pix PAT addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:31 GMT-3