Re: Overloading an IP address on PIX 525

mbettis · ‎06-14-2001

Can you overload an external IP address on the PIX 525?

millerv · ‎06-14-2001

Don't think so. Its NAT doesn't quite behave the same

on a Pix as is does on a router. If you have some

address limitations, do this:

set up a global pool but don't use all the registered

addresses.

save a registered address for Port Address Translation. There should be an example in the book

javedmma · ‎06-14-2001

There are a few things to consider when using PAT:

The IP addresses you specify for PAT cannot be in another global address pool.

PAT does not work with H.323 applications and caching nameservers. PAT works with Domain Name Service (DNS), FTP and passive FTP, HTTP, mail, remote-procedure call (RPC), rshell, Telnet, URL filtering, and outbound traceroute.

Do not use PAT when multimedia applications need to be run through the firewall. Multimedia applications can conflict with port mappings provided by PAT.

In PIX software release 4.2(2), the PAT feature did not work with IP data packets that arrived in reverse order. This problem is corrected in release 4.2(3).

IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently.

For example, if a global IP adddress is 175.1.1.3 and the domain name for the PIX firewall is pix.caguana.com, the PTR record would be:

3.1.1.175.in-addr.arpa. IN PTR pix3.caguana.com

4.1.1.175.in-addr.arpa. IN PTR pix4.caguana.com & so on.