NAT or PAT

Unanswered Question
Aug 6th, 2008
User Badges:

folks


i want to pass all my users out my internet pipe on the same NAT/PAT address


at the moment i have all users behind a firewall which passes traffic to the perimeter router (the firewall's external ip is a private address & non routable)so the router's external IP is the address i present to the internet


i have implemented a PAT solution on the external interface and access to the internet is working but i thnik i remember reading that PAT doesn't like streaming, VoIP etc and this would match my problem - when i access some sites with streaming content it hangs


should i use a nat solution instead but rather than use a pool of addresses (which i don't have) just use the external interface's IP?


thanks to anyone taking the time to reply


ps - any links to configs are greatly appreciated


hope this finds you all well


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 08/07/2008 - 03:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


Perhaps there is some confusion about terminology. NAT is translation with a pool of addresses. When you do NAT with only a single address you have created PAT.


If you have only a single address then your alternative is to do PAT. If that is causing problems then perhaps you need to negotiate with your provider for additional address space.


Mohsin


The solution that you suggest is a PIX/ASA solution. But Michael has clearly stated in his original post that his firewall outside interface is using a private non-routable address and that he needs to do translation on his router.


HTH


Rick

Richard Burts Thu, 08/07/2008 - 03:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

somehow my post got posted twice.


HTH


Rick

mulhollandm Thu, 08/07/2008 - 03:57
User Badges:

rick


many thanks for your reply, its greatly appreciated


i have 2 or 3 addresses currently available but as this may change (i may have to allocate them to other perimeter devices) i opted for pat


are you aware of any problems with pat and streaming protocols or performance?


my perimeter kit is a hsrp 3845 cluster with 1Gb ram connecting to an isp router (3825)


thanks for your time

nourelrayes Thu, 08/07/2008 - 21:57
User Badges:

Streaming endpoints should reside on a VLAN different from that of data.


By performing NAT and creating 2 pools one for streaming application which has the same subnet mask of the Voice/Video VLAN and the other can be static or dynamic PAT for data VLANs.


access-list 1 permit ip %Voice/Video VLANs

access-list 2 permit ip %Data VLAN

ip nat pool nourvoice y.10.10.1 y.10.10.254

ip nat pool nourdata x.10.11.1 x.10.11.2

ip nat inside-source list 1 pool nourvoice

ip nat inside-source list 2 pool nourdata overload

gabrielshorn Fri, 08/08/2008 - 09:41
User Badges:

I have a 2811 and streaming works fine as long as you have the streaming protocols declared in your "ip inspect" list on the router. Assuming that you already have an "ip inspect" list on the outbound interface of your, just add the streaming protocols you want to the list:


ip inspect name LIST_NAME PROTOCOL


for example


In global config:


ip inpect name mylist pcanywhere

ip inspect name mylist h323


Interface config mode for external router interface:


ip inspect mylist out



That's all it takes to set it up, though the inspect list is usually pretty long. Mine has nearly 40 protocols listed.


Actions

This Discussion