Solved: implementing pat

jlhainy · ‎03-02-2013

I have a little bit of confusion on implementing global address pools and PAT. I want to do a many to one translation. I have a FWSM that has a /24 network bound to an interface for guest wireless. All I want to do is use private IP addressess and have it translated. I am not sure where the translation needs to take place or how to configure it.

Jouni Forss · ‎03-02-2013

Hi,

No, you dont have to use the IP address of the "outside" interface

You can either use a single IP address

global (outside) 1 1.1.1.1

Or you can use a range of IP address

global (outside) 1 1.1.1.1-1.1.1.253

The IP address(es) dont have to be from the subnet/network that the interface belongs to. Naturally if you are using different addresses than the actual interface IP address space then you have to make sure that there is routing for this new address pace pointing towards the said interface from the upstream router.

- Jouni

View solution in original post

Jouni Forss · ‎03-02-2013

Hi,

If the case is that you simply want to provide some guest network PAT translation towards Internet then generally the very basic format for PAT configuration is

global (outside) 1 interface

nat (guest) 1 10.10.10.0 255.255.255.0

This would do the following

Source address for the PAT is the network 10.10.10.0/24
- You can have multiple lines with different networks for the same ID number (1 in this case)
The PAT address used in this case is the "outside" interface IP address that is specified by the "interface" keyword in the "global" configuration command.

Hopefully that helps and if not please do ask more.

- Jouni

jlhainy · ‎03-02-2013

Do you have to use the address of the outside interface. Can you use a different address? If you can use a different address, does it have to be in the same subnet as the outside interface IP address?

Jouni Forss · ‎03-02-2013

Hi,

No, you dont have to use the IP address of the "outside" interface

You can either use a single IP address

global (outside) 1 1.1.1.1

Or you can use a range of IP address

global (outside) 1 1.1.1.1-1.1.1.253

The IP address(es) dont have to be from the subnet/network that the interface belongs to. Naturally if you are using different addresses than the actual interface IP address space then you have to make sure that there is routing for this new address pace pointing towards the said interface from the upstream router.

- Jouni

jlhainy · ‎03-02-2013

So, I need to make sure that there is a route on the upstream router that contains the IPs I want to use as the global addresses and just point them to the outside interface of the firewall. Seems basic enough. I will have to try it out next monday.

jlhainy · ‎03-04-2013

ok, one other question. Is there anyway to send the translation tables to a sys log to be logged? I may need a way to track users from the Internet to their private IP. Looking for an easy way to do that.

Jouni Forss · ‎03-04-2013

Hi,

A pretty basic configuration I use would be

logging on

logging trap informational

logging device-id hostname

logging host

Where

= Is the "nameif" value configured under the interface behind which the Syslog server is configured
= Is naturally the IP address of the Syslog server

Notice the that Syslog level "informational" by default logs EVERY connection formed and tore down. It also logs EVERY translation formed and tore down. So depending on enviroment it might create a big number of logs.

A bit more fine tuning of the logging configurations is needed if the log amount is too much.

- Jouni

jocamare · ‎03-02-2013

This file might help:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

You will need two commands:

1- Nat (inside*) 1

2- Global (outside*) 1 <Pat IP>

*names may vary depending on your configuration.