I got a cisco 2610, a PIX 515, VPN client 1.1.....now i m goin to implement IPSec for VPN clients, goin to terminate VPN clients on the PIX. Now I am doin NAT on the PIX, for my 4 internal network. Now the design is i m usin a RSM to route b/w these internal networks, 2 of them are training and testing lans, just wanted to keep traffic with'n segments and manage network better, since i will be having only 2 of these networks goin out on the internet, using one pool of class C ( public ip) . the other 2 test'n and train'n network will prob. only want to use the machines on the DMZ. So i need to define them on the PIX. Now this NAT will be ne problem for my VPN clients, using IPSec. These VPN clients will be authenticated by my TACACS+(Cisco SEcure ACS 4.0 for NT). I will be gratefull to get configuration keeping my network infrastructure in mind. Now my cisco 2610 which will be outside interface of the PIX, with its serial interface connected to the T1 connection. What configuration will be required there. Now it looks that my PIX will be doin everythin and ppl will suggest a VPN concentrator, but i really dont wanna add nother piece of device in my network. U can say right now i will only have few VPN clients, and this will be interim solution. need to get some ocnfig for both my CIsco 2610 and PIX. I searched the cisco site and found many helpful stuff, and i m workin to get the best of it...but some1 with a little time help me with this....now is this network design very complex. I prob. wont have more then 200 hosts goin out on the internet or DMZ, so one pool will work for me i assume. What are other ways .....leavin the PAT, that i can do to utilze my 1 public pool of ip, when i will have more host wanting to go out. thanks in advance...
First of all, you need to at least have enough addresses in your NAT pool as you have users going out. If you have more users than addresses they wont all be able to get out (syslog error translation creation failed ). You can recycle the pool addressed by adjusting the timeout conn and xlate values way down, but Id recommend still turning on PAT for an overflow. I wouldnt use NAT pools for DMZ access if its a private network. Id suggest network statics without translation are best.
I might be able to help but I have a few question first. Is the 2600 your internet (perimeter)router or do you have another one? Are your 4 internal networks seperate networks that go through the router or are they part of one big network that is switched? Who (applications, remote users, etc)is coming into your site and who is going out? Where?
yes, 2610 is our internet router. And the 4 interal networks are switched, i am using RSFC to do intervlan routing. My new T1 will be coonneted to this cisco 2610 which is connected to the outside interface of my PIX 515 , and inside interface is goin to the switch(backbone) and there is nother interface i.e DMZ
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...