Solved: Re: PIX 501 NAT / PAT problem

fvandonk · ‎12-14-2005

Have a 501 setup for a client. All works well for a few minutes and they PC's cannot get out of the firewall. Looks like the NAT works fine but the PAT does not kick in.

That part of the config I got from a cisco example.

Can somebody help me out?

Thanks,

Fred

m.mcconnell · ‎12-14-2005

With less than 25 PCs behind the PIX you will not have to worry about memory issues. You might need to watch for licensing issues though. The default 501 license supoprts 10 users and can be upgraded to support 50 users - still no need to worry about memory.

As far as timers on the PIX, I usually recommend to leave all timers at the default settings unless you are experiencing problems and TAC helps you change them.

-Mark

View solution in original post

m.mcconnell · ‎12-14-2005

The config you have posted is from a very old configuration example. When NAT and PAT are configured NAT has priority over PAT, meaning that PAT won't get used unitl the address pool for NAT is fully utilized. For regular users (non-server traffic) I usually configure just PAT.

I usually configure it this way:

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

This does PAT for all of your inside users to the PIX's outside IP address - saves address space.

To convert, do the following:

no global (outside) 1 xxx.xxx.231.115-xxx.xxx.231.125 netmask 255.255.255.240

no global (outside) 1 xxx.xxx.231.126 netmask 255.255.255.240

global (outside) 1 interface

clear xlate.

-Mark

fvandonk · ‎12-14-2005

Thanks for your reply Mark.

I did read online that just having PAT running might cause problems with memory problems when there are a lot of PAT sessions created. (running out of memory)

Granted this is only an office with <25 PC's do you think I have to worry about this?

Also do I want to change the xlate timeout or leave everything else as default.

Again thanks,

Fred

m.mcconnell · ‎12-14-2005

With less than 25 PCs behind the PIX you will not have to worry about memory issues. You might need to watch for licensing issues though. The default 501 license supoprts 10 users and can be upgraded to support 50 users - still no need to worry about memory.

As far as timers on the PIX, I usually recommend to leave all timers at the default settings unless you are experiencing problems and TAC helps you change them.

-Mark

fvandonk · ‎12-14-2005

Mark,

I thought the 10 user limit was on the remote vpn connections, is this not correct? Is is concurrent users instead? So I'm not running into a NAT/PAT issue but into a user count issue? If so will lowering the timer give me a little more breathing room?

m.mcconnell · ‎12-15-2005

There are two connection limitation on the PIX 501: 10 users and 4 (I think) VPN connections. Lowering the timer probably will not help unless you make it real low - but even then. You will have users that leave the browser open or whatever eating up a connection. To upgrade the 501 to 50 users its only a couple hundred dollars and it removes the frustration.