From: Richard Mott (richpmott@xxxxxxxxxxx)
Date: Mon Aug 28 2000 - 20:45:49 GMT-3
To the best of my knowledge you can only define one PAT address PER
INTERFACE. You should be able to define one PAT address for outside and one
PAT address for DMZ.
global (outside) 1 x.x.x.1-x.x.x.1
global (DMZ) 2 x.x.x.16-x.x.x.16
As of PIX IOS 5.1(2) (I haven't tested this yet)
You can now add duplicate route commands with different gateways and
metrics.
Check out the release notes for 5.1(2)
Rich Mott
CCIE #5234 (R&S)(ISP/Dial)
Internetwork Solutions Engineer
Thrupoint INC
>From: "Price, Jamie" <jprice@isgteam.com>
>Reply-To: "Price, Jamie" <jprice@isgteam.com>
>To: ccielab@groupstudy.com
>Subject: Pix PAT addresses
>Date: Mon, 28 Aug 2000 00:32:30 -0500
>
>Hi Guys,
>
>I've got a scenario where 2 companies are using 1 Pix for inet access.
>One,
>subnet A, enters the Pix on interface 1, the other, subnet B, enters the
>Pix
>on Interface 2 - or the "DMZ". Obviously they are sharing the same public
>IP block. This is a /27 range. For address allocation, this block has
>been
>split down the middle - each company recieving 15 addresses. Each company
>then sacrifices one address each for the upstream router and outside Pix
>address, leaving them with 14 each.
>
>I wanted to segment traffic outbound from the Pix so that should bandwidth
>consumption become an issue then each company would each be ensured 50%
>bandwidth on the Inet connection. My thoughts were that at the upstream
>router I could utilize custom queueing to ensure this by creating access
>lists with a /28 mask i.e. access list 100 identifying the first 16
>addresses in the block of 32, access list 101 identifying the next 16, then
>apply those lists to the queues (say queue 1 at 3000 bytes, queue 2 at 3000
>bytes and the default queue at 1500) my theory being that if each subnet
>has
>its own queue then a third default queue would effectively always be empty
>(but still there to catch any possible oversights) and therefore traffic
>could be evenly distributed. I realize that all broadcasts and traffic
>bound
>for the Pix interface would be the burden of the company that had that
>address in its range, but that traffic is minimal and an accepted overhead.
>
>However I was under the mistaken assumption that I would be able to
>configure more than one PAT address on the outside interface. My
>intentions
>were to assign PAT address 1 - i.e. global (outside) 1 x.x.x.1-x.x.x.1 - to
>subnet A and PAT address 2 - i.e. global (outside) 2 x.x.x.16-x.x.x.16 -
>to
>subnet B - and then match the appropriate nat-id's to the global commands.
>
>You cant assign more than one PAT address to an interface - the Pix clearly
>tells you one is already created and simply doesnt add the new. Quite
>obviously if both inside interfaces have to utilize one PAT address then
>the
>whole equal distribution plan goes out the window.
>
>Can anyone think of a config workaround to assigning multiple Global PAT
>addresses to the outside interface of a Pix - or an alternative way to
>achieving the goal?
>
>Also any thoughts on this whole theory that I had on equal distribution
>(for
>example - if it would even work) would also be greatly appreciated.
>
>Thanks
>
>Jamie
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:31 GMT-3