Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT problem

I have created a new network, as a first step in separating part of our orginisation. the new network is separated by a pix 515e 6.3(1) [the inside of the firewall is on the new network]. My problem is that during the split the users within the new network(DHCP addressed from local server) need to logon to the original NT4 domain structure through the firewall, I have been able to get them to logon using NAT (pool) addresses but not when I try to PAT (same inteface) them.

My questions are:

i. is it possible for domain login using PAT (if so how?)

ii. if I cant PAT are there any known problems that i may encounter (apart from name resolution) using DHCP and NAT pool and not having everything static.

Many thanks for any thoughts gratefully recieved.

  • Other Security Subjects

Re: PAT problem

Is the WINS and DNS servers sitting across the firewall? I assume so because you alluded to the NT4 domain structure being accessed via the firewall. I don't believe that PAT would work as all users will be seen as coming from a single ip address and if wins is sitting across the firewall too, then all workstations will have registered with the same ip address. I would continue to use NAT or bypass nat for win domain authentication by using the nat (inside) 0 access-list command, where the acl would refer to connections to the nt4 domain structure.

If you are using nat as part of a security policy, I would recommend that ipsec be used between the firewall and nt domiain network to further protect the traffic, as it provides much better security than address translation.

I hope this helps. Ed Hirsel

New Member

Re: PAT problem

Thanks for input, I decided to make some changes so that i just used NAT and was able to remove the need to use PAT. regards. sean.

This widget could not be displayed.