Advantages to large NAT range?

Unanswered Question
Dec 29th, 2005
User Badges:

I have a couple of hundred users accessing the outside via:


global (outside) 1 65.123.71.230-65.123.71.253 netmask 255.255.255.224

global (outside) 1 65.123.71.254 netmask 255.255.255.224


It seems that the first people that connect after a restart grab the NAT addresses and everyone else gets the PAT. It there a reason that I shouldn't give most of the registered IP's back to the ISP and just keep a smaller group? My ISP appears to be holding any PTR changes hostage until I relinquish some addresses. At issue is that my PTR is set to one of the IP's in the middle of the NAT group. Each time the firewall is reset, the mail server locks into a different outside address which causes reverse DNS to fail. Can I force the mail server to a particular address (the one the PTR is set to)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m.mcconnell Thu, 12/29/2005 - 08:15
User Badges:
  • Bronze, 100 points or more

For typical web surfing there is no real advantage to a large NAT pool and there is no real reson to not give back some addresses other than to save yourself some grief. It looks like you have a fairly small range, I don't see why your ISP would hassel you. But in any event, you can get rid of the NAT pool by doing these two commands:


no global (outside) 1 65.123.71.230-65.123.71.253 netmask 255.255.255.224


clear xlate


This will drop any current connections on these ip addresses. Then to set up your mail server use the static command:


static (inside,outside) public_ip private_ip netmask 255.255.255.255


If your mail server is in a DMZ you will need to change the name of th first interface to match the name of the DMZ interface.


To further save address space, set up your PAT address to use the IP address on the outside interface of the PIX:


no global (outside) 1 65.123.71.254 netmask 255.255.255.224


global (outside) 1 interface


clear xlate


Then save the config:

write mem


-Mark


glowell543 Thu, 12/29/2005 - 09:33
User Badges:

I will give that a try - thanks. In what instances would an address pool make sense - I'm having trouble rationalizing my (inherited) configs. ;-)

m.mcconnell Thu, 12/29/2005 - 12:28
User Badges:
  • Bronze, 100 points or more

The only time I can think of "needing" a large NAT pool is if you have a large user base for an application that does not work with PAT - but that's mostly a thing of the past.


As a side note - the inherited config that you are currently running is a direct copy and paste out of the PIX documentation that provides an example of setting up outbound connectivity. That section is a bit dated.


-Mark


jackko Thu, 12/29/2005 - 15:01
User Badges:
  • Gold, 750 points or more

further, a pat only offers upto 64,000 translations.


so for those companys expecting more than that number will need to deploy multiple ip with pat.

glowell543 Fri, 12/30/2005 - 05:00
User Badges:

That part won't affect my slice of the job market, but I also recall that multimedia has an impact. Not sure how much - the trouble with unfamiliar networks is it's hard to tell who is doing what to whom and why.


In the end, Mark confirmed my suspicions and I went ahead a blew away the global range and added a static route to cover AOL, etc. I will just let it simmer and listen for squeaks.

Actions

This Discussion