NAT or PAT

Unanswered Question
Aug 6th, 2008

folks

i want to pass all my users out my internet pipe on the same NAT/PAT address

at the moment i have all users behind a firewall which passes traffic to the perimeter router (the firewall's external ip is a private address & non routable)so the router's external IP is the address i present to the internet

i have implemented a PAT solution on the external interface and access to the internet is working but i thnik i remember reading that PAT doesn't like streaming, VoIP etc and this would match my problem - when i access some sites with streaming content it hangs

should i use a nat solution instead but rather than use a pool of addresses (which i don't have) just use the external interface's IP?

thanks to anyone taking the time to reply

ps - any links to configs are greatly appreciated

hope this finds you all well

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 08/07/2008 - 03:48

Michael

Perhaps there is some confusion about terminology. NAT is translation with a pool of addresses. When you do NAT with only a single address you have created PAT.

If you have only a single address then your alternative is to do PAT. If that is causing problems then perhaps you need to negotiate with your provider for additional address space.

Mohsin

The solution that you suggest is a PIX/ASA solution. But Michael has clearly stated in his original post that his firewall outside interface is using a private non-routable address and that he needs to do translation on his router.

HTH

Rick

mulhollandm Thu, 08/07/2008 - 03:57

rick

many thanks for your reply, its greatly appreciated

i have 2 or 3 addresses currently available but as this may change (i may have to allocate them to other perimeter devices) i opted for pat

are you aware of any problems with pat and streaming protocols or performance?

my perimeter kit is a hsrp 3845 cluster with 1Gb ram connecting to an isp router (3825)

thanks for your time

nourelrayes Thu, 08/07/2008 - 21:57

Streaming endpoints should reside on a VLAN different from that of data.

By performing NAT and creating 2 pools one for streaming application which has the same subnet mask of the Voice/Video VLAN and the other can be static or dynamic PAT for data VLANs.

access-list 1 permit ip %Voice/Video VLANs

access-list 2 permit ip %Data VLAN

ip nat pool nourvoice y.10.10.1 y.10.10.254

ip nat pool nourdata x.10.11.1 x.10.11.2

ip nat inside-source list 1 pool nourvoice

ip nat inside-source list 2 pool nourdata overload

gabrielshorn Fri, 08/08/2008 - 09:41

I have a 2811 and streaming works fine as long as you have the streaming protocols declared in your "ip inspect" list on the router. Assuming that you already have an "ip inspect" list on the outbound interface of your, just add the streaming protocols you want to the list:

ip inspect name LIST_NAME PROTOCOL

for example

In global config:

ip inpect name mylist pcanywhere

ip inspect name mylist h323

Interface config mode for external router interface:

ip inspect mylist out

That's all it takes to set it up, though the inspect list is usually pretty long. Mine has nearly 40 protocols listed.

Actions

This Discussion