And I don’t mean Twice NAT as on Cisco ASA devices. The problem: I have been using a PIX 501 as a gateway for some time. It works great – except for one small problem – it has a 10-user license. What does this mean? It means that if you are using NAT or VPN (or anything) there can only be 10 devices behind the firewall on the inside interface. The easiest way to see this is to look at the ARP table on the firewall – the 11th, 12th, 10+Nth… entries will not be able to access anything but the local subnet.
This isn’t really a problem for small offices or home users…who honestly has more than 10 devices? I do. And I’m betting as more and more things want to get out to the internet, this is going to change. Think about it – at least one desktop, maybe a laptop from work, at least 2, maybe 3 smart phones, a TV for streaming, a game system or two…that’s bumping up to ten pretty quick.
My temporary solution: and I say temporary, as the PIX515 with an unlimited license is not here yet. Why not setup a second NAT to hide some of the devices from the PIX? I happen to have an old 2600 series router with two FE interfaces – this will serve as the second NAT device. The servers that need internet access will sit behind the PIX – there’s only a few that need to have traffic in or out – and they all have static IPs. The problem comes from workstations, smartphones, and game consoles\TVs that access the internet. For the most part, these only need internet access, and I would love if they didn’t take up a license.
Here’s how it works: most of the above mentioned devices acquire an IP address via DHCP. DHCP has been turned off on the DC, and enabled on the router. The “inside” interface on the router is a completely different subnet…unfortunately I don’t have the best switching in the world, so no VLANs….instead, just 2 subnets on the same physical network. It works fine for what little network traffic there is. The DHCP on the router gives out IPs on the new subnet, and points the default gateway at the “inside” interface of the router. Granted, the “outside” interface of the router takes a license from the PIX, but it saves more than enough to make up for it.
The router has a very simple config – just a NAT rule, a default route and a few ACLs. Once the route was added to the PIX, everything was working great! A note: don’t forget like I did that when you apply an ACL to an interface there is an implicit Deny any any at the end of the ACL – so make sure you allow DHCP through!
Building configuration... Current configuration : 1900 bytes ! service config service timestamps debug datetime msec service timestamps log datetime msec ! hostname NATROUTER ! boot-start-marker boot-end-marker ! no logging console ! no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ip cef ! ! ip dhcp excluded-address 192.168.X.0 192.168.X.99 ip dhcp excluded-address 192.168.X.151 192.168.X.254 ! ip dhcp pool NATRoutPool network 192.168.X.0 255.255.255.0 domain-name dns-server 192.168.X.X default-router 192.168.X.X lease 7 ! no ftp-server write-enable ! ! ! ! interface FastEthernet0/0 ip address 192.168.X.X 255.255.255.0 ip access-group 103 in ip nat inside speed auto full-duplex no mop enabled ! interface FastEthernet0/1 ip address 192.168.X.X 255.255.255.0 ip access-group 2001 in ip nat outside speed auto full-duplex ! ip nat inside source list 23 interface FastEthernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.X.X ! ! ! ! ! end