01-05-2012 01:41 PM - edited 03-11-2019 03:10 PM
I have a Cisco PIX 520 that I know nothing about. The problem I have come into is that my NAT pool is running dry and I am getting clients without access to the internet. I would like to add a PAT but I have no idea what I am doing or where to start.
Could someone give me the proper commands to do this?
I don't know what more information you need so please ask questions!
Thanks.
01-05-2012 02:04 PM
Hello Steve,
More than glad, what is the Pix version you are running?
Regards,
Julio
01-05-2012 02:07 PM
Version 6.3 (4)
01-05-2012 02:14 PM
Hello Steve,
you can do
nat (inside) 1 0 0
global (outside) 1 interface
Rate if this post helps.
Julio
01-05-2012 02:48 PM
I have to be honest, I have no idea what this means. I really need someone to walk me though it.
Currently I have inside IP scheme of 192.168.1.45 - 255 and outside of 90.90.90.35 - 62.
I want to use PAT for one of the outside IP's.
I found this on Ciscos site but I'm not sure if that is what I need to do as their diagram shows a 10.0.0.1 IP along with a 192.168.1.x. I only have 192.168.1.x, does this make a difference?
If I run the following commands with my information is it going to give me what I need or am I on the wrong track?
global (outside) 1 209.165.201.3-209.165.201.29 netmask 255.255.255.224 global (outside) 1 209.165.201.30 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
I don't know anything about Cisco command so I really need it put out step by step so I don't accidentally do the wrong thing and take down the network as I would have no idea how to reverse it.
01-05-2012 02:52 PM
Hello Steve,
You already have a pool of ip addresses assigned to your users if they go to the outside, the problem is that you are getting out of public ip addresses, so what we need to do is just to add a global command:
global (outside) 1 x.x.x.x.x 255.255.255.255
This will not affect your network, just that now if the pool of addresses got exhausted now we wil start to use the pat ip add.
Regards,
Julio
01-05-2012 03:57 PM
Thank you for the reply. I will be trying this tomorrow. Is it best practice to use the highest outside IP?
Also could you tell me the commands to backup my current configuration and how to do a restore? Incase anything doesn't work out and I would also like to start implamenting a backup for the network as the last person doesn't seem to have a disaster recovery in place. I would be backing up to the 3.5.
Thank you again!
01-05-2012 04:06 PM
Hello Steve,
Is it best practice to use the highest outside IP?
Not at all, it does not matter if its the highest of not.
I do not think we are going to have any issues with this change, because in fact it is not a change is just a upgrade on the configuration.
Just in case here is one document that talks about backing up the pix configuration:
http://tools.cisco.com/squish/9922d
Regards,
Rate post if it helps you.
Julio
01-06-2012 07:06 AM
Thank you Julio for all the information. I will be doing the change on Monday so I will let you know how it goes.
01-06-2012 09:19 AM
Sure, let me know!
01-11-2012 09:40 AM
Ok, I added the PAT on Monday morning. First I ran 'global (outside) 1 123.123.123.63 netmask 255.255.255.255' and I got a warning which I can't remember the exact wording of but it was something to the effect of being an IP that is broadcast off. So instead of saving that setting I exited out of the system and the added 'global (outside) 1 123.123.123.14 netmask 255.255.255.255' and then did the 'write memory' command. I ran 'sh global' and got:
pix# sh global
global (outside) 1 123.123.123.35-123.123.123.62 netmask 255.255.255.0
global (outside) 1 123.123.123.63 netmask 255.255.255.255
global (outside) 1 123.123.123.14 netmask 255.255.255.255
As you can see it saved both the PAT enteries, not sure if this is going to be a problem and I am not sure what the command is to delete the entry.
Monday afternoon I found out that some clients were still having trouble connecting to the internet. I did some investigating and found that I need to run 'clear xlate' for the PAT to work. I did so and everything has seemed fine until today.
On my test machine I wasn't able to connect to the internet. I ran 'sh xlate' and got this:
pix# sh xlate
87 in use, 99 most used
Global 123.123.123.38 Local 192.168.74.87
Global 123.123.123.58 Local 192.168.74.58
Global 123.123.123.61 Local 192.168.74.99
Global 123.123.123.46 Local 192.168.74.14
Global 123.123.123.41 Local 192.168.74.95
Global 123.123.123.39 Local 192.168.74.124
Global 123.123.123.52 Local 192.168.74.123
Global 123.123.123.35 Local 192.168.74.17
Global 123.123.123.43 Local 192.168.74.43
Global 123.123.123.48 Local 192.168.74.105
Global 123.123.123.47 Local 192.168.74.128
Global 123.123.123.30 Local 192.168.74.30
Global 123.123.123.33 Local 192.168.74.33
Global 123.123.123.45 Local 192.168.74.31
Global 123.123.123.50 Local 192.168.74.101
Global 123.123.123.37 Local 192.168.74.93
Global 123.123.123.60 Local 192.168.74.60
Global 123.123.123.10 Local 192.168.74.10
Global 123.123.123.57 Local 192.168.74.89
Global 123.123.123.56 Local 192.168.74.56
PAT Global 123.123.123.63(1469) Local 192.168.74.94(1890)
PAT Global 123.123.123.63(1471) Local 192.168.74.94(1892)
PAT Global 123.123.123.63(1470) Local 192.168.74.94(1891)
PAT Global 123.123.123.63(1497) Local 192.168.74.94(1918)
PAT Global 123.123.123.63(1496) Local 192.168.74.94(1917)
PAT Global 123.123.123.63(1499) Local 192.168.74.94(1920)
PAT Global 123.123.123.63(1498) Local 192.168.74.94(1919)
PAT Global 123.123.123.63(1501) Local 192.168.74.94(1923)
PAT Global 123.123.123.63(1500) Local 192.168.74.94(1921)
PAT Global 123.123.123.63(1503) Local 192.168.74.94(1925)
PAT Global 123.123.123.63(1502) Local 192.168.74.94(1924)
PAT Global 123.123.123.63(1489) Local 192.168.74.94(1910)
PAT Global 123.123.123.63(1488) Local 192.168.74.94(1909)
PAT Global 123.123.123.63(1491) Local 192.168.74.94(1912)
PAT Global 123.123.123.63(1490) Local 192.168.74.94(1911)
PAT Global 123.123.123.63(1493) Local 192.168.74.94(1914)
PAT Global 123.123.123.63(1492) Local 192.168.74.94(1913)
PAT Global 123.123.123.63(1495) Local 192.168.74.94(1916)
PAT Global 123.123.123.63(1494) Local 192.168.74.94(1915)
PAT Global 123.123.123.63(1481) Local 192.168.74.94(1902)
PAT Global 123.123.123.63(1480) Local 192.168.74.94(1901)
PAT Global 123.123.123.63(1483) Local 192.168.74.94(1904)
PAT Global 123.123.123.63(1482) Local 192.168.74.94(1903)
PAT Global 123.123.123.63(1485) Local 192.168.74.94(1906)
PAT Global 123.123.123.63(1484) Local 192.168.74.94(1905)
PAT Global 123.123.123.63(1487) Local 192.168.74.94(1908)
PAT Global 123.123.123.63(1486) Local 192.168.74.94(1907)
PAT Global 123.123.123.63(1473) Local 192.168.74.94(1894)
PAT Global 123.123.123.63(1472) Local 192.168.74.94(1893)
PAT Global 123.123.123.63(1475) Local 192.168.74.94(1896)
PAT Global 123.123.123.63(1474) Local 192.168.74.94(1895)
PAT Global 123.123.123.63(1477) Local 192.168.74.94(1898)
PAT Global 123.123.123.63(1476) Local 192.168.74.94(1897)
PAT Global 123.123.123.63(1479) Local 192.168.74.94(1900)
PAT Global 123.123.123.63(1478) Local 192.168.74.94(1899)
PAT Global 123.123.123.63(1513) Local 192.168.74.94(1935)
PAT Global 123.123.123.63(1512) Local 192.168.74.94(1934)
PAT Global 123.123.123.63(1515) Local 192.168.74.94(1937)
PAT Global 123.123.123.63(1514) Local 192.168.74.94(1936)
PAT Global 123.123.123.63(1517) Local 192.168.74.94(1939)
PAT Global 123.123.123.63(1516) Local 192.168.74.94(1938)
PAT Global 123.123.123.63(1518) Local 192.168.74.94(1940)
PAT Global 123.123.123.63(1505) Local 192.168.74.94(1927)
PAT Global 123.123.123.63(1504) Local 192.168.74.94(1926)
PAT Global 123.123.123.63(1507) Local 192.168.74.94(1929)
PAT Global 123.123.123.63(1506) Local 192.168.74.94(1928)
PAT Global 123.123.123.63(1509) Local 192.168.74.94(1931)
PAT Global 123.123.123.63(1508) Local 192.168.74.94(1930)
PAT Global 123.123.123.63(1511) Local 192.168.74.94(1933)
PAT Global 123.123.123.63(1510) Local 192.168.74.94(1932)
Global 123.123.123.59 Local 192.168.74.116
Global 123.123.123.9 Local 192.168.74.9
Global 123.123.123.54 Local 192.168.74.96
Global 123.123.123.18 Local 192.168.74.18
Global 123.123.123.15 Local 192.168.74.15
Global 123.123.123.11 Local 192.168.74.11
Global 123.123.123.24 Local 192.168.74.24
Global 123.123.123.32 Local 192.168.74.32
Global 123.123.123.44 Local 192.168.74.44
Global 123.123.123.49 Local 192.168.74.108
Global 123.123.123.36 Local 192.168.74.106
Global 123.123.123.55 Local 192.168.74.55
Global 123.123.123.51 Local 192.168.74.102
Global 123.123.123.40 Local 192.168.74.40
Global 123.123.123.42 Local 192.168.74.42
Global 123.123.123.53 Local 192.168.74.114
Global 123.123.123.62 Local 192.168.74.97
Global 123.123.123.34 Local 192.168.74.34
Global 123.123.123.26 Local 192.168.74.26
As you see I have 87 in use, 99 most used. I don't even have that many systems in the building. All the PAT global connections are my test machine.
After a few minutes I was able to connect to the internet without doing anything. I ran 'sh xlate' again and got:
pix# sh xlate
39 in use, 99 most used
Global 123.123.123.38 Local 192.168.74.87
Global 123.123.123.58 Local 192.168.74.58
Global 123.123.123.61 Local 192.168.74.99
Global 123.123.123.46 Local 192.168.74.94
Global 123.123.123.41 Local 192.168.74.95
Global 123.123.123.39 Local 192.168.74.124
Global 123.123.123.52 Local 192.168.74.123
Global 123.123.123.35 Local 192.168.74.17
Global 123.123.123.43 Local 192.168.74.43
Global 123.123.123.48 Local 192.168.74.105
Global 123.123.123.47 Local 192.168.74.128
Global 123.123.123.30 Local 192.168.74.30
Global 123.123.123.45 Local 192.168.74.31
Global 123.123.123.50 Local 192.168.74.101
Global 123.123.123.37 Local 192.168.74.93
Global 123.123.123.60 Local 192.168.74.60
Global 123.123.123.10 Local 192.168.74.10
Global 123.123.123.57 Local 192.168.74.89
Global 123.123.123.56 Local 192.168.74.56
PAT Global 123.123.123.63(1589) Local 192.168.74.94(2011)
PAT Global 123.123.123.63(1588) Local 192.168.74.94(2010)
PAT Global 123.123.123.63(1590) Local 192.168.74.94(2012)
Global 123.123.123.59 Local 192.168.74.116
Global 123.123.123.9 Local 192.168.74.9
Global 123.123.123.54 Local 192.168.74.96
Global 123.123.123.18 Local 192.168.74.18
Global 123.123.123.15 Local 192.168.74.15
Global 123.123.123.11 Local 192.168.74.11
Global 123.123.123.24 Local 192.168.74.24
Global 123.123.123.32 Local 192.168.74.32
Global 123.123.123.49 Local 192.168.74.108
Global 123.123.123.36 Local 192.168.74.106
Global 123.123.123.55 Local 192.168.74.55
Global 123.123.123.51 Local 192.168.74.102
Global 123.123.123.40 Local 192.168.74.40
Global 123.123.123.53 Local 192.168.74.114
Global 123.123.123.62 Local 192.168.74.97
Global 123.123.123.34 Local 192.168.74.34
Global 123.123.123.26 Local 192.168.74.26
So as soon as my test machine connected it dropped to 39 in use, 99 most used. I'm not sure why that happened.
So my next questions for you are,
1. Do you know what that error is that I got from the first PAT entry?
2. Is it bad that I currently have two PAT's?
3. If I have to remove one of the PAT's what is the command for doing so?
4. Why did it take a few minutes before I could get out to the internet from my test machine?
5. Why did the PAT show so many IP's running through it before it connected and so few after?
Everything is going well so far and I appreciate everything you have done for me this far. I would still be banging my head against a wall if it wasn't for you.
Thank you.
01-11-2012 10:56 AM
Hello Steve,
Answers:
1- Not sure , I will need to see the exact Log
2-Not at all, what is going to happen is that the users will use the pool first, then they will use the first Pat address (65535) ports, then if those are already used the other PAT will be used.
3-no global (outside) 1 123.123.123.14 netmask 255.255.255.255
4- You need it to clear the xlate first and local-host because until you do that the translation table is already in used with the pool of ip addresses, so now for start using the new enviroment ( pool and pat) you need that.
5-What do you mean by Why did the PAT show so many IP's running through it before it connected and so few after?
Hope this helps
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: