Well.. on our inside network we do use NAT.. does that matter? .. and .. can you tell me where to find a sample config of PAT?!

thanks a million

There is no difference in terms of command to activate PAT or NAT (same command "NAT" apply to inside net). It's just dependent to the number of addresses apply with the global command to the outside. If you specify only one address with global, it's PAT. If you specify many adddresses with global, it's NAT.

Ben

What about access-lists?>.. are they needed for traffic to flow in and out?.. if i dont configure any access lists.. will my inside network be able to hit the internet?

and what about when im setting up my "global" and the other command.. can't think of it right off.. it gives me an error saying it can't be the same IP address?.. thanks

Instead of specifying an address with global command, use this one:

global (outside) 1 interface

You don't need necessarly access-list(ACL) combine with a NAT & Global pair to give access to your internal users to the Internet. NAT & Global pair are enough to give access to outside. You can use the ACL only to restrict what your users can do. In this case, apply the ACL to the inside interface. If you don't want to restrict, don't use ACL.

Ben

I know this is alot to ask.. but can you give me a sample config of the nat/global pair?.. i thank you so much.. bless you.

adam

Adam,

Here is all you need. This is assuming that you have 1 routeable IP address (besides your router).

192.168.1.1=Pix inside address ip (def gateway for all your internal PCs)

10.0.0.2=your 1 routeable IP address

10.0.0.1=your internet router

config t

ip add inside 192.168.1.1

ip add outside 10.0.0.2

nat 1 0 0

global (outside) 1 10.0.0.2 interface

route 0 0 10.0.0.1

write mem (to save the config)

The interface command is what activates PAT (port address translation). NAT is not available to you because do not have a pool of IP address. Just keep in mind that you are limited to about 64,000 (forget the exact #) connections. You can do a sho xlat to verify but for 100 users it should be more then enough. You can still do static mappings between ports to your 1 IP address. Just remember to refer the outside IP address in your static commands.

Make sure that the interfaces are up by doing a sho int e0 and e1 command.

Sincerely,

Alex

i'm gettin an overlapping error..

my current def gateway is 10.137.1.200 which is a 3810 router with all the frame connetions.. i so would my pix inside def gateway change to 10.137.1.200?.. or would i change that in the routers?.. also.. isn't internet router and default gateway the same thing?.. then the routable ip is the public ip address?.

have any idea what im doing wrong

Also...

i just found that in my routers.. and workstations.. the default gateway is 10.137.1.200.. and on my firewall/2610 router.. the gateway is 66.x.x.198.. but the outside ip address is 66.x.x.193.. does this give you something to work with?..

Adam,

1. The default gateway for the pix would be 66.x.x.198 ( route 0 0 66.x.x.198)

2. The def gateway for your internal side is a tricky situation depending on how routing works in your company. I suggest you call Cisco TAC for more detailed assistance since any changes made to default gateways may affect hosts being able to contact other hosts on your frame relay network.

AZ

Adam,

Default gateway is a concept you must apply individually to each network equipment with routing capabilities, firewalls, hosts, routers and so on. Generally, default gateway indicated the direction for trafics where there is no explicit routes configured. It's the direction of last resort.

As i understand, your 3810 is an internal router with frame connection, perhaps, for branch offices. Then the default gateway for this router should indicated the next hop to the Internet, probably the PIX interface where the 3810 is connected. Except if you have a router between the 3810 & the PIX, this time the default gateway for the 3810 is the "in-between" router. For the PIX, default gatway if the next hop to the Internet, probably the ISP's router interface directly connected with the PIX.

Regards,

Ben