Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
4
Replies

What is the maximum PAT statement in PIX Firewall?

a.kiprawih
Level 7
Level 7

‎04-26-2004 05:06 PM - edited ‎02-20-2020 11:22 PM

Hi,

What is the maximum no of PAT allowed in PIX? So far, I couldn’t find exact statement in cisco.com on this. Most of the PIX sample configuration shows 2 PATs only.

The reason was (if possible) to map each individual NAT to PAT, instead of using a pool of outside/Public IP and 1 PAT for backup. For example, 5 internal VLANs need to be mapped to 5 different PAT for easy identification and troubleshooting.

global (outside) 1 202.X.X.100

global (outside) 2 202.X.X.101

global (outside) 3 202.X.X.102

global (outside) 4 202.X.X.103

global (outside) 5 202.X.X.104

nat (inside) 1 10.100.110.0 255.255.255.0

nat (inside) 2 10.100.120.0 255.255.255.0

nat (inside) 3 10.100.130.0 255.255.255.0

nat (inside) 4 10.100.140.0 255.255.255.0

nat (inside) 5 10.100.150.0 255.255.255.0

Thanks

AK

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎04-26-2004 05:32 PM

There's no set limit, other than the fact the nat/global pair number can only be between 1 and 2147483647, although you'd run out of your 2Meg config size limit way before that.

I've seen configs with hundreds of them and it works fine. If you only want 5 then you'll be fine.

0 Helpful

a.kiprawih
Level 7
Level 7
In response to gfullage

‎04-26-2004 08:03 PM

Hi Glen,

I did saw the max pair between 1 to 2,147,483,647, but when I tried to configure the 3rd PAT, it gives error on overlapping PAT statement. That was on a fresh installation and the public IP was free (unused)

global (outside) 1 202.X.X.100 -> ok/accepted

global (outside) 2 202.X.X.101 -> ok/accepted

global (outside) 3 202.X.X.102 -> ERROR due to overlapping PAT??

nat (inside) 1 10.100.110.0 255.255.255.0 -> ok

nat (inside) 2 10.100.120.0 255.255.255.0 -> ok

nat (inside) 3 10.100.130.0 255.255.255.0 -> ok

Did I missed any steps?

Thanks

AK

0 Helpful

mostiguy
Level 6
Level 6
In response to a.kiprawih

‎04-27-2004 03:09 AM

what is the outside interface's ip address and subnet mask? could .102 be a broadcast address for that subnet?

0 Helpful

a.kiprawih
Level 7
Level 7
In response to mostiguy

‎04-27-2004 04:17 PM

The public IP subnet is 202.X.X.96/27. Usable address range should be 202.X.X.97 - 202.X.X.126, broadcast is 202.X.X.127.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card