cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
658
Views
0
Helpful
6
Replies

NAT or PAT

mulhollandm
Level 1
Level 1

folks

i want to pass all my users out my internet pipe on the same NAT/PAT address

at the moment i have all users behind a firewall which passes traffic to the perimeter router (the firewall's external ip is a private address & non routable)so the router's external IP is the address i present to the internet

i have implemented a PAT solution on the external interface and access to the internet is working but i thnik i remember reading that PAT doesn't like streaming, VoIP etc and this would match my problem - when i access some sites with streaming content it hangs

should i use a nat solution instead but rather than use a pool of addresses (which i don't have) just use the external interface's IP?

thanks to anyone taking the time to reply

ps - any links to configs are greatly appreciated

hope this finds you all well

6 Replies 6

mohsin.khan
Level 3
Level 3

You can do both.

define 2 access lists, first would forward traffic to a NAT Pool and second would forward traffic to PAT IP.

global (outside) 1 {public_Ip_start_range public_Ip_end_range }

global (outside) 1 {public_PAT_IP}

nat (inside) 1 access-list {acl_name-1}

nat (inside) 2 access-list {acl_name-1}

Michael

Perhaps there is some confusion about terminology. NAT is translation with a pool of addresses. When you do NAT with only a single address you have created PAT.

If you have only a single address then your alternative is to do PAT. If that is causing problems then perhaps you need to negotiate with your provider for additional address space.

Mohsin

The solution that you suggest is a PIX/ASA solution. But Michael has clearly stated in his original post that his firewall outside interface is using a private non-routable address and that he needs to do translation on his router.

HTH

Rick

HTH

Rick

somehow my post got posted twice.

HTH

Rick

HTH

Rick

rick

many thanks for your reply, its greatly appreciated

i have 2 or 3 addresses currently available but as this may change (i may have to allocate them to other perimeter devices) i opted for pat

are you aware of any problems with pat and streaming protocols or performance?

my perimeter kit is a hsrp 3845 cluster with 1Gb ram connecting to an isp router (3825)

thanks for your time

nourelrayes
Level 1
Level 1

Streaming endpoints should reside on a VLAN different from that of data.

By performing NAT and creating 2 pools one for streaming application which has the same subnet mask of the Voice/Video VLAN and the other can be static or dynamic PAT for data VLANs.

access-list 1 permit ip %Voice/Video VLANs

access-list 2 permit ip %Data VLAN

ip nat pool nourvoice y.10.10.1 y.10.10.254

ip nat pool nourdata x.10.11.1 x.10.11.2

ip nat inside-source list 1 pool nourvoice

ip nat inside-source list 2 pool nourdata overload

gabrielshorn
Level 1
Level 1

I have a 2811 and streaming works fine as long as you have the streaming protocols declared in your "ip inspect" list on the router. Assuming that you already have an "ip inspect" list on the outbound interface of your, just add the streaming protocols you want to the list:

ip inspect name LIST_NAME PROTOCOL

for example

In global config:

ip inpect name mylist pcanywhere

ip inspect name mylist h323

Interface config mode for external router interface:

ip inspect mylist out

That's all it takes to set it up, though the inspect list is usually pretty long. Mine has nearly 40 protocols listed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco