Typically, an enterprise network receives only a small number of
routable addresses from its ISP, while the number of hosts is much larger. To
resolve this situation, port address translation (PAT) can be used.
Using
PAT, multiple connections originating from different hosts on the inside
networks can be multiplexed by a single global IP address. The multiplexing
identifier is the source port number. In Figure
, the IP
addresses of the two hosts on the inside network are translated to a PAT IP
address of 192.168.0.20 source ports 2000 and 2001.
A PAT address can be
a virtual address that is different from the outside address of the PIX
Security Appliance. PAT should not be used when running multimedia applications
through the PIX. Multimedia applications need access to specific ports and can
conflict with port mappings provided by PAT.
In the example in Figure
, the XYZ
Company has only three registered IP addresses. One address is taken by the
perimeter router, one by the PIX Security Appliance, and one by the global
address.
The example configuration is as follows:
ip
address inside 10.0.0.1 255.255.255.0
ip
address outside 192.168.0.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1
IP addresses are assigned to the internal and external interfaces. A single
registered IP address is put into the global pool and is shared by all outgoing
access for network 10.0.0.0:
nat (inside) 1 10.0.0.0
255.255.0.0
global (outside) 1 192.168.0.9
netmask 255.255.255.255
PAT Using the Outside Interface Address
The IP address of the
outside interface can be used as the PAT address by using the
interface option of the global command.
This is important when using the PIX Security Appliance DHCP client feature. It
allows the DHCP retrieved address to be used for PAT.
In Figure
, source
addresses for hosts on network 10.0.0.0 are translated to 192.168.0.2 for
outgoing access, and the source port is changed to a unique number greater than
1023.
 |
NOTE:
When PAT is enabled on an interface, there should be no loss of TCP,
UDP, and ICMP services. These services allow termination at outside interface
of the PIX Security Appliance.
|
Mapping Subnets to PAT Addresses
Multiple PATs can be
specified to track use among different subnets. In Figure
, network
10.0.1.0 and network 10.0.2.0 are mapped to different PAT addresses. This is
done by using a separate nat and global
command pair for each network. Outbound sessions from hosts on internal network
10.0.1.0 will appear to originate from address 192.168.0.8, and outbound
sessions from hosts on internal network 10.0.2.0 will appear to originate from
address 192.168.0.9.
Backing Up PAT Addresses by Using Multiple
PATs
PAT addresses can be backed up by configuring multiple
global command statements with the same
nat_id.
In Figure
, address
192.168.0.9 will be used for all outbound connections from network 10.0.1.0
when the port pool from 192.168.0.8 is at maximum capacity.
Augmenting
a Global Pool with PAT
A pool of global addresses can be augmented with
PAT. When all IP addresses from the global pool are in use, the PIX Security
Appliance begins PAT using the single IP address shown in the second
global command.
In Figure
, hosts on the
10.0.0.0 internal network are assigned addresses from the global pool
192.168.0.20 through 192.168.0.254 as they initiate outbound connections. When
the addresses from the global pool are exhausted, packets from all hosts on
network 10.0.0.0 appear to originate from 192.168.0.15.