PIX Security Appliance Translations and Connections
Port address translation (PAT)

Typically, an enterprise network receives only a small number of routable addresses from its ISP, while the number of hosts is much larger. To resolve this situation, port address translation (PAT) can be used.

Using PAT, multiple connections originating from different hosts on the inside networks can be multiplexed by a single global IP address. The multiplexing identifier is the source port number. In Figure , the IP addresses of the two hosts on the inside network are translated to a PAT IP address of 192.168.0.20 source ports 2000 and 2001.

A PAT address can be a virtual address that is different from the outside address of the PIX Security Appliance. PAT should not be used when running multimedia applications through the PIX. Multimedia applications need access to specific ports and can conflict with port mappings provided by PAT.

In the example in Figure , the XYZ Company has only three registered IP addresses. One address is taken by the perimeter router, one by the PIX Security Appliance, and one by the global address.

The example configuration is as follows:

ip address inside 10.0.0.1 255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1

IP addresses are assigned to the internal and external interfaces. A single registered IP address is put into the global pool and is shared by all outgoing access for network 10.0.0.0:

nat (inside) 1 10.0.0.0 255.255.0.0
global (outside) 1 192.168.0.9 netmask 255.255.255.255

PAT Using the Outside Interface Address
The IP address of the outside interface can be used as the PAT address by using the interface option of the global command. This is important when using the PIX Security Appliance DHCP client feature. It allows the DHCP retrieved address to be used for PAT.

In Figure , source addresses for hosts on network 10.0.0.0 are translated to 192.168.0.2 for outgoing access, and the source port is changed to a unique number greater than 1023.

NOTE:

When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow termination at outside interface of the PIX Security Appliance.

Mapping Subnets to PAT Addresses
Multiple PATs can be specified to track use among different subnets. In Figure , network 10.0.1.0 and network 10.0.2.0 are mapped to different PAT addresses. This is done by using a separate nat and global command pair for each network. Outbound sessions from hosts on internal network 10.0.1.0 will appear to originate from address 192.168.0.8, and outbound sessions from hosts on internal network 10.0.2.0 will appear to originate from address 192.168.0.9.

Backing Up PAT Addresses by Using Multiple PATs
PAT addresses can be backed up by configuring multiple global command statements with the same nat_id.

In Figure , address 192.168.0.9 will be used for all outbound connections from network 10.0.1.0 when the port pool from 192.168.0.8 is at maximum capacity.

Augmenting a Global Pool with PAT
A pool of global addresses can be augmented with PAT. When all IP addresses from the global pool are in use, the PIX Security Appliance begins PAT using the single IP address shown in the second global command.

In Figure , hosts on the 10.0.0.0 internal network are assigned addresses from the global pool 192.168.0.20 through 192.168.0.254 as they initiate outbound connections. When the addresses from the global pool are exhausted, packets from all hosts on network 10.0.0.0 appear to originate from 192.168.0.15.


Lab Activity

e-Lab Activity: PIX Security Appliance PAT Configuration

In this activity, the student will configure PAT to allow all internal hosts to share one IP address.