Nat Pool

Nat Pool
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Nat Pool dempsey_b 07-25-2008
---> Re: Nat Pool Scott Perry07-25-2008
Posted by dempsey_b on July 25, 2008, 3:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Group, Cisco Pix 6.3(4).

We have a vendor that is requiring us to connect vpn to their network
to transmit data. This used to not be a huge deal, because out of a
thousand users, we only had one end user that required to connect to
this service. Now we have a group of 10.

Since I don't have 10 free public IPs I would like to create a pool of
5 public IPs for any of the 10 specified users. Sounds easy enough,
but I haven't a clue as where to begin.

Could someone point me in the correct direction? Either by config
example (yeah, I'm lazy) or literature?

Thanks millions!

Bill

Pure Networks
Posted by Scott Perry on July 25, 2008, 4:16 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
There are different kinds of VPN. I must assume that you mean remote access
VPN for a single PC to connect into the inside company network from the
outside. I hope you did not mean a site-to-site VPN.

It sounds like a VPN system is already in place for that 1 person already
connecting. Now 10 people need to connect. Therefore, it seems like the
equipment is already configured and the other people just connect into the
same system with the same external Internet IP address and get into the
inside network as if they were an inside host. I do not foresee a problem
so far.

Many devices host remote access (RAS) VPN connections. They usually have a
single Internet IP address which is used for all outside VPN clients to
connect. Multiple outside IP addresses are not used for multiple RAS VPN
connections. The resulting connection through the VPN system to the inside
network usually uses DHCP to provides an inside IP address to the client's
virtual connection through the established VPN tunnel.

Now for your company to have more than 1 RAS VPN connection to another
company, I do not see the need for you to allocate more public IP addresses
on your side - the VPN client side. Much more information is needed. What
kind of system is providing the VPN connection and what software and VPN
protocols are being used to make this connection?

-----
Scott Perry
Indianapolis, IN
-----

> Group, Cisco Pix 6.3(4).
>
> We have a vendor that is requiring us to connect vpn to their network
> to transmit data. This used to not be a huge deal, because out of a
> thousand users, we only had one end user that required to connect to
> this service. Now we have a group of 10.
>
> Since I don't have 10 free public IPs I would like to create a pool of
> 5 public IPs for any of the 10 specified users. Sounds easy enough,
> but I haven't a clue as where to begin.
>
> Could someone point me in the correct direction? Either by config
> example (yeah, I'm lazy) or literature?
>
> Thanks millions!
>
> Bill



Posted by dempsey_b on July 27, 2008, 8:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
My apologies, This is a client based VPN.. and you are correct.. I
will elaborate. We do have one single outbound IP address. All of
our clients come from xx.xx.xx.18 ...Many of our users use a Cisco
client to connect to one of our other vendors., all using the same
public IP address.... No issues there.

My problem, is that this is some kind of crazy At&t "Global" VPN
client our vendor is using via an ATT managed service. In the
instructions the vendor gave us for the ATT client, it specifically
states that each machine connecting to the "Global ATT Network" will
need its OWN public IP address. The actual documentation for the ATT
Client from ATT says no such thing... I have not tested to see if all
will work with the single outbound IP address. Needless to say, a
client that requires an individual public IP for each user... doesn't
have me happy.

I've created nat pools on routers several times, just never on a pix.
I work for a non-profit agency that doesn't have money for hot spares
or failovers... so my changes will be done on a.. gasp.. . production
firewall.

Thanks however for your insight and as always, I am thankful for
anyone taking the time out to help explain.

Posted by CK on July 28, 2008, 3:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options
As per my understanding you are using AT&T Clinet to connect your
vendors VPN Network.

Actually your vendor has restricted 1 public-ip per mac-addres or
something that kind of adjustment. You need to check with them how to
solve this as you only have 1 public-ip natting all internal ips .



Posted by Techno_Guy on July 29, 2008, 1:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> My apologies, This is a client based VPN.. and you are correct.. =A0I
> will elaborate. =A0We do have one single outbound IP address. =A0All of
> our clients come from xx.xx.xx.18 ...Many of our users use a Cisco
> client to connect to one of our other vendors., all using the same
> public IP address.... No issues there.
>
> My problem, is that this is some kind of crazy At&t "Global" VPN
> client our vendor is using via an ATT managed service. =A0In the
> instructions the vendor gave us for the ATT client, it specifically
> states that each machine connecting to the "Global ATT Network" will
> need its OWN public IP address. =A0The actual documentation for the ATT
> Client from ATT says no such thing... I have not tested to see if all
> will work with the single outbound IP address. =A0Needless to say, a
> client that requires an individual public IP for each user... doesn't
> have me happy.
>
> I've created nat pools on routers several times, just never on a pix.
> I work for a non-profit agency that doesn't have money for hot spares
> or failovers... so my changes will be done on a.. gasp.. . production
> firewall.
>
> Thanks however for your insight and as always, I am thankful for
> anyone taking the time out to help explain.

A quick search on google for Cisco Pix Nat PPOl showed me this.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note091=
86a00800b6e1a.shtml

Similar ThreadsPosted
nat for pool September 12, 2006, 9:30 am
reading the nat pool September 19, 2005, 12:21 pm
ezvpn: ip pool necessary? June 27, 2006, 1:54 pm
Pool Manager uses 40% of CPU November 5, 2006, 4:43 am
dynamically assigning NAT pool? August 9, 2004, 5:55 am
PIX - ip local pool - question April 27, 2005, 8:32 pm
rephrased: 2621 nat pool September 22, 2005, 5:14 pm
ip local pool question January 11, 2006, 6:08 pm
VPN address pool disappears from PDM April 12, 2006, 9:23 am
What is NAT pool "prefix-length" for? February 5, 2008, 2:43 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map