Solved: Re: PAT on PIX vs. NAT Overload on router

dlockerby · ‎03-16-2004

Best practice question...

Is it better to perform PAT via a NAT overload on a bastion router with a static statement on the PIX, or setup PAT on the PIX using one global IP address?

Other alternatives?

***Router Example***

Router Setup

ip nat pool FirstPAT 172.16.5.100 172.16.5.100 255.255.255.0

ip nat source list 10 FirstPAT overload

access-list 10 permit 10.10.10.0 0.255.255.255

PIX Setup

static (inside, outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

***PIX Example***

global(outside) 1 172.16.5.100

nat (inside) 1 0 0

Thanks in advance for all posts!

scoclayton · ‎03-16-2004

In my opinion, there are no real compelling reasons to go with one idea over the other. I would probably lean towards letting the PIX do the NAT but I could be swayed. The reason for this is that the PIX is essentially already doing NAT (just back onto the same address). But again, either should be fine.

One suggestion though if you went with NAT overload on the router would be to do it with a route map as opposed to the access-list example you have. Something like this:

ip nat pool FirstPAT 172.16.5.100 172.16.5.100 255.255.255.0

ip nat source route-map nat FirstPAT overload

route-map nat permit 10

access-list 10 permit 10.10.10.0 0.255.255.255

This creates an extended NAT entry in the NAT table on the router.

Good luck.

Scott

View solution in original post

scoclayton · ‎03-16-2004

In my opinion, there are no real compelling reasons to go with one idea over the other. I would probably lean towards letting the PIX do the NAT but I could be swayed. The reason for this is that the PIX is essentially already doing NAT (just back onto the same address). But again, either should be fine.

One suggestion though if you went with NAT overload on the router would be to do it with a route map as opposed to the access-list example you have. Something like this:

ip nat pool FirstPAT 172.16.5.100 172.16.5.100 255.255.255.0

ip nat source route-map nat FirstPAT overload

route-map nat permit 10

access-list 10 permit 10.10.10.0 0.255.255.255

This creates an extended NAT entry in the NAT table on the router.

Good luck.

Scott

ehirsel · ‎03-17-2004

From my experience in working with both the PIX and the cisco IOS router devices, I found it better to do the NAT'ing on the PIX firewall. Unless your router is a 3700 or higer series, you can degrade performance on the router by doing the NAT, whereas in the PIX the NAT seems to be better optimized.

I ran into some issues with the early releases of IOS 12.2 code that had issues with NAT overload, whereby NAT was failing to happen. This happened when there was only one entry in the NAT pool, The workaround was to have two or more entries on the nat pool, so that you do overloading (PAT) only on one address and you did NAT on the others. I believe that the issue was fixed in 12.2.3d; I can't remember the exact bug id, but if I find it I'll post it here.

I hope this helps.

shannong · ‎03-22-2004

I would definitely recommend use you use the Pix for the PAT. It was purposefully built to handle this function very well.

Use of CBAC and NAT overload can have a serious performanc hit on an IOS router due to the translation entries and dynamic ACLs created on the outside interface. It depends how many users and how many concurrent sessions you're going to have.

Another advantage of PAT on the Pix is that it has many fixups to make protocols such as PPTP, IPSEc, and H.323 work through PAT.

hugodrax · ‎03-29-2004

I would never do NAT/PAT on a router, performance will degrade quickly and a PIX has a much more robust box for this purpose. I have seen routers dying at 80-90 percent CPU Utilization and after dropping a pix into the mix, router went back to 3-5 percent and the pix was doing about 1-2 percent.