Version 6.3 (4)

Hello Steve,

you can do

nat (inside) 1 0 0

global (outside) 1 interface

Rate if this post helps.

Julio

I have to be honest, I have no idea what this means. I really need someone to walk me though it.

Currently I have inside IP scheme of 192.168.1.45 - 255 and outside of 90.90.90.35 - 62.

I want to use PAT for one of the outside IP's.

I found this on Ciscos site but I'm not sure if that is what I need to do as their diagram shows a 10.0.0.1 IP along with a 192.168.1.x. I only have 192.168.1.x, does this make a difference?

If I run the following commands with my information is it going to give me what I need or am I on the wrong track?

global (outside) 1 209.165.201.3-209.165.201.29 netmask 255.255.255.224
global (outside) 1 209.165.201.30 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

I don't know anything about Cisco command so I really need it put out step by step so I don't accidentally do the wrong thing and take down the network as I would have no idea how to reverse it.

Hello Steve,

You already have a pool of ip addresses assigned to your users if they go to the outside, the problem is that you are getting out of public ip addresses, so what we need to do is just to add a global command:

global (outside) 1 x.x.x.x.x 255.255.255.255

This will not affect your network, just that now if the pool of addresses got exhausted now we wil start to use the pat ip add.

Regards,

Julio

Thank you for the reply. I will be trying this tomorrow. Is it best practice to use the highest outside IP?

Also could you tell me the commands to backup my current configuration and how to do a restore? Incase anything doesn't work out and I would also like to start implamenting a backup for the network as the last person doesn't seem to have a disaster recovery in place. I would be backing up to the 3.5.

Thank you again!

Hello Steve,

Is it best practice to use the highest outside IP?

Not at all, it does not matter if its the highest of not.

I do not think we are going to have any issues with this change, because in fact it is not a change is just a upgrade on the configuration.

Just in case here is one document that talks about backing up the pix configuration:

http://tools.cisco.com/squish/9922d

Regards,

Rate post if it helps you.

Julio

Thank you Julio for all the information. I will be doing the change on Monday so I will let you know how it goes.

Sure, let me know!

Ok, I added the PAT on Monday morning. First I ran 'global (outside) 1 123.123.123.63 netmask 255.255.255.255' and I got a warning which I can't remember the exact wording of but it was something to the effect of being an IP that is broadcast off. So instead of saving that setting I exited out of the system and the added 'global (outside) 1 123.123.123.14 netmask 255.255.255.255' and then did the 'write memory' command. I ran 'sh global' and got:

pix# sh global

global (outside) 1 123.123.123.35-123.123.123.62 netmask 255.255.255.0

global (outside) 1 123.123.123.63 netmask 255.255.255.255

global (outside) 1 123.123.123.14 netmask 255.255.255.255

As you can see it saved both the PAT enteries, not sure if this is going to be a problem and I am not sure what the command is to delete the entry.

Monday afternoon I found out that some clients were still having trouble connecting to the internet. I did some investigating and found that I need to run 'clear xlate' for the PAT to work. I did so and everything has seemed fine until today.

On my test machine I wasn't able to connect to the internet. I ran 'sh xlate' and got this:

pix# sh xlate

87 in use, 99 most used

Global 123.123.123.38 Local 192.168.74.87

Global 123.123.123.58 Local 192.168.74.58

Global 123.123.123.61 Local 192.168.74.99

Global 123.123.123.46 Local 192.168.74.14

Global 123.123.123.41 Local 192.168.74.95

Global 123.123.123.39 Local 192.168.74.124

Global 123.123.123.52 Local 192.168.74.123

Global 123.123.123.35 Local 192.168.74.17

Global 123.123.123.43 Local 192.168.74.43

Global 123.123.123.48 Local 192.168.74.105

Global 123.123.123.47 Local 192.168.74.128

Global 123.123.123.30 Local 192.168.74.30

Global 123.123.123.33 Local 192.168.74.33

Global 123.123.123.45 Local 192.168.74.31

Global 123.123.123.50 Local 192.168.74.101

Global 123.123.123.37 Local 192.168.74.93

Global 123.123.123.60 Local 192.168.74.60

Global 123.123.123.10 Local 192.168.74.10

Global 123.123.123.57 Local 192.168.74.89

Global 123.123.123.56 Local 192.168.74.56

PAT Global 123.123.123.63(1469) Local 192.168.74.94(1890)

PAT Global 123.123.123.63(1471) Local 192.168.74.94(1892)

PAT Global 123.123.123.63(1470) Local 192.168.74.94(1891)

PAT Global 123.123.123.63(1497) Local 192.168.74.94(1918)

PAT Global 123.123.123.63(1496) Local 192.168.74.94(1917)

PAT Global 123.123.123.63(1499) Local 192.168.74.94(1920)

PAT Global 123.123.123.63(1498) Local 192.168.74.94(1919)

PAT Global 123.123.123.63(1501) Local 192.168.74.94(1923)

PAT Global 123.123.123.63(1500) Local 192.168.74.94(1921)

PAT Global 123.123.123.63(1503) Local 192.168.74.94(1925)

PAT Global 123.123.123.63(1502) Local 192.168.74.94(1924)

PAT Global 123.123.123.63(1489) Local 192.168.74.94(1910)

PAT Global 123.123.123.63(1488) Local 192.168.74.94(1909)

PAT Global 123.123.123.63(1491) Local 192.168.74.94(1912)

PAT Global 123.123.123.63(1490) Local 192.168.74.94(1911)

PAT Global 123.123.123.63(1493) Local 192.168.74.94(1914)

PAT Global 123.123.123.63(1492) Local 192.168.74.94(1913)

PAT Global 123.123.123.63(1495) Local 192.168.74.94(1916)

PAT Global 123.123.123.63(1494) Local 192.168.74.94(1915)

PAT Global 123.123.123.63(1481) Local 192.168.74.94(1902)

PAT Global 123.123.123.63(1480) Local 192.168.74.94(1901)

PAT Global 123.123.123.63(1483) Local 192.168.74.94(1904)

PAT Global 123.123.123.63(1482) Local 192.168.74.94(1903)

PAT Global 123.123.123.63(1485) Local 192.168.74.94(1906)

PAT Global 123.123.123.63(1484) Local 192.168.74.94(1905)

PAT Global 123.123.123.63(1487) Local 192.168.74.94(1908)

PAT Global 123.123.123.63(1486) Local 192.168.74.94(1907)

PAT Global 123.123.123.63(1473) Local 192.168.74.94(1894)

PAT Global 123.123.123.63(1472) Local 192.168.74.94(1893)

PAT Global 123.123.123.63(1475) Local 192.168.74.94(1896)

PAT Global 123.123.123.63(1474) Local 192.168.74.94(1895)

PAT Global 123.123.123.63(1477) Local 192.168.74.94(1898)

PAT Global 123.123.123.63(1476) Local 192.168.74.94(1897)

PAT Global 123.123.123.63(1479) Local 192.168.74.94(1900)

PAT Global 123.123.123.63(1478) Local 192.168.74.94(1899)

PAT Global 123.123.123.63(1513) Local 192.168.74.94(1935)

PAT Global 123.123.123.63(1512) Local 192.168.74.94(1934)

PAT Global 123.123.123.63(1515) Local 192.168.74.94(1937)

PAT Global 123.123.123.63(1514) Local 192.168.74.94(1936)

PAT Global 123.123.123.63(1517) Local 192.168.74.94(1939)

PAT Global 123.123.123.63(1516) Local 192.168.74.94(1938)

PAT Global 123.123.123.63(1518) Local 192.168.74.94(1940)

PAT Global 123.123.123.63(1505) Local 192.168.74.94(1927)

PAT Global 123.123.123.63(1504) Local 192.168.74.94(1926)

PAT Global 123.123.123.63(1507) Local 192.168.74.94(1929)

PAT Global 123.123.123.63(1506) Local 192.168.74.94(1928)

PAT Global 123.123.123.63(1509) Local 192.168.74.94(1931)

PAT Global 123.123.123.63(1508) Local 192.168.74.94(1930)

PAT Global 123.123.123.63(1511) Local 192.168.74.94(1933)

PAT Global 123.123.123.63(1510) Local 192.168.74.94(1932)

Global 123.123.123.59 Local 192.168.74.116

Global 123.123.123.9 Local 192.168.74.9

Global 123.123.123.54 Local 192.168.74.96

Global 123.123.123.18 Local 192.168.74.18

Global 123.123.123.15 Local 192.168.74.15

Global 123.123.123.11 Local 192.168.74.11

Global 123.123.123.24 Local 192.168.74.24

Global 123.123.123.32 Local 192.168.74.32

Global 123.123.123.44 Local 192.168.74.44

Global 123.123.123.49 Local 192.168.74.108

Global 123.123.123.36 Local 192.168.74.106

Global 123.123.123.55 Local 192.168.74.55

Global 123.123.123.51 Local 192.168.74.102

Global 123.123.123.40 Local 192.168.74.40

Global 123.123.123.42 Local 192.168.74.42

Global 123.123.123.53 Local 192.168.74.114

Global 123.123.123.62 Local 192.168.74.97

Global 123.123.123.34 Local 192.168.74.34

Global 123.123.123.26 Local 192.168.74.26

As you see I have 87 in use, 99 most used. I don't even have that many systems in the building. All the PAT global connections are my test machine.

After a few minutes I was able to connect to the internet without doing anything. I ran 'sh xlate' again and got:

pix# sh xlate

39 in use, 99 most used

Global 123.123.123.38 Local 192.168.74.87

Global 123.123.123.58 Local 192.168.74.58

Global 123.123.123.61 Local 192.168.74.99

Global 123.123.123.46 Local 192.168.74.94

Global 123.123.123.41 Local 192.168.74.95

Global 123.123.123.39 Local 192.168.74.124

Global 123.123.123.52 Local 192.168.74.123

Global 123.123.123.35 Local 192.168.74.17

Global 123.123.123.43 Local 192.168.74.43

Global 123.123.123.48 Local 192.168.74.105

Global 123.123.123.47 Local 192.168.74.128

Global 123.123.123.30 Local 192.168.74.30

Global 123.123.123.45 Local 192.168.74.31

Global 123.123.123.50 Local 192.168.74.101

Global 123.123.123.37 Local 192.168.74.93

Global 123.123.123.60 Local 192.168.74.60

Global 123.123.123.10 Local 192.168.74.10

Global 123.123.123.57 Local 192.168.74.89

Global 123.123.123.56 Local 192.168.74.56

PAT Global 123.123.123.63(1589) Local 192.168.74.94(2011)

PAT Global 123.123.123.63(1588) Local 192.168.74.94(2010)

PAT Global 123.123.123.63(1590) Local 192.168.74.94(2012)

Global 123.123.123.59 Local 192.168.74.116

Global 123.123.123.9 Local 192.168.74.9

Global 123.123.123.54 Local 192.168.74.96

Global 123.123.123.18 Local 192.168.74.18

Global 123.123.123.15 Local 192.168.74.15

Global 123.123.123.11 Local 192.168.74.11

Global 123.123.123.24 Local 192.168.74.24

Global 123.123.123.32 Local 192.168.74.32

Global 123.123.123.49 Local 192.168.74.108

Global 123.123.123.36 Local 192.168.74.106

Global 123.123.123.55 Local 192.168.74.55

Global 123.123.123.51 Local 192.168.74.102

Global 123.123.123.40 Local 192.168.74.40

Global 123.123.123.53 Local 192.168.74.114

Global 123.123.123.62 Local 192.168.74.97

Global 123.123.123.34 Local 192.168.74.34

Global 123.123.123.26 Local 192.168.74.26

So as soon as my test machine connected it dropped to 39 in use, 99 most used. I'm not sure why that happened.

So my next questions for you are,

1. Do you know what that error is that I got from the first PAT entry?

2. Is it bad that I currently have two PAT's?

3. If I have to remove one of the PAT's what is the command for doing so?

4. Why did it take a few minutes before I could get out to the internet from my test machine?

5. Why did the PAT show so many IP's running through it before it connected and so few after?

Everything is going well so far and I appreciate everything you have done for me this far. I would still be banging my head against a wall if it wasn't for you.

Thank you.

Hello Steve,

Answers:

1- Not sure , I will need to see the exact Log

2-Not at all, what is going to happen is that the users will use the pool first, then they will use the first Pat address (65535) ports, then if those are already used the other PAT will be used.

3-no global (outside) 1 123.123.123.14 netmask 255.255.255.255

4- You need it to clear the xlate first and local-host because until you do that the translation table is already in used with the pool of ip addresses, so now for start using the new enviroment ( pool and pat) you need that.

5-What do you mean by Why did the PAT show so many IP's running through it before it connected and so few after?

Hope this helps

Regards,

Julio