PIX & Global Address Pools
in [Cisco]
|
From: Scooty on 23 Apr 2008 22:12 Hi I have a PIX in my network. It is used to pass HTTP & HTTPS traffic thru to a Proxy server in the DMZ (running Squid) for Internet access. My understanding is that the Global Address Pool is used to perform NAT on the inside interfaces I am finding that the pool of addresses is insufficient for the amount of users I have on the inside. I have about 500+ users on various subnets on the inside but my pool for the DMZ is 192.168.1.20-192.168.1.254 The translation rule on the inside is Original inside:any / 0.0.0.0 Translated dmz1 192.168.1.20-192.168.1.254 Is there any way to increase this or is there a better way to handle this within the PIX? Cheers, Scott
From: networkzman on 24 Apr 2008 01:59 On Apr 24, 3:12 am, Scooty <scootyjthomp...(a)gmail.com> wrote: > Hi > I have a PIX in my network. It is used to pass HTTP & HTTPS traffic > thru to a Proxy server in the DMZ (running Squid) for Internet access. > My understanding is that the Global Address Pool is used to perform > NAT on the inside interfaces > I am finding that the pool of addresses is insufficient for the amount > of users I have on the inside. I have about 500+ users on various > subnets on the inside but my pool for the DMZ is > 192.168.1.20-192.168.1.254 > The translation rule on the inside is > Original inside:any / 0.0.0.0 Translated dmz1 > 192.168.1.20-192.168.1.254 > > Is there any way to increase this or is there a better way to handle > this within the PIX? > > Cheers, > Scott hello, nat (inside) 1 0 0 global (outside) 1 192.168.1.20-192.168.1.253 global (outside) 1 192.168.1.254 or as you said its dmz int global (dmz) 1 192.168.1.20-192.168.1.253 global (dmz) 1 192.168.1.254 so you have both NAT/ PAT configured, once the NAT address are used it would start using the PAT on (192.168.1.254) which can handle upto 65535 connections. hope this link would of some help http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml Thanks
From: Scooty on 24 Apr 2008 02:22 On Apr 24, 1:59 pm, networkzman <javz...(a)gmail.com> wrote: > On Apr 24, 3:12 am, Scooty <scootyjthomp...(a)gmail.com> wrote: > > > > > > > Hi > > I have a PIX in my network. It is used to pass HTTP & HTTPS traffic > > thru to a Proxy server in the DMZ (running Squid) for Internet access. > > My understanding is that the Global Address Pool is used to perform > > NAT on the inside interfaces > > I am finding that the pool of addresses is insufficient for the amount > > of users I have on the inside. I have about 500+ users on various > > subnets on the inside but my pool for the DMZ is > > 192.168.1.20-192.168.1.254 > > The translation rule on the inside is > > Original inside:any / 0.0.0.0 Translated dmz1 > > 192.168.1.20-192.168.1.254 > > > Is there any way to increase this or is there a better way to handle > > this within the PIX? > > > Cheers, > > Scott > > hello, > > nat (inside) 1 0 0 > > global (outside) 1 192.168.1.20-192.168.1.253 > global (outside) 1 192.168.1.254 > > or as you said its dmz int > > global (dmz) 1 192.168.1.20-192.168.1.253 > global (dmz) 1 192.168.1.254 > > so you have both NAT/ PAT configured, once the NAT address are used it > would start using the PAT on (192.168.1.254) which can handle upto > 65535 connections. > > hope this link would of some helphttp://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_n... > > Thanks- Hide quoted text - > > - Show quoted text - This is what I have, as you can see the Global NAT Outside is using a real IP nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz1) 0 access-list dmz1_outbound_nat0_acl nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 203.59.123.43 global (inside) 1 192.168.100.200-192.168.100.220 netmask 255.255.255.0 global (dmz1) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0 Will it still work as you have outlined? Scott
From: Darren on 24 Apr 2008 16:47 Scooty wrote: > On Apr 24, 1:59 pm, networkzman <javz...(a)gmail.com> wrote: >> On Apr 24, 3:12 am, Scooty <scootyjthomp...(a)gmail.com> wrote: >> >> >> >> >> >>> Hi >>> I have a PIX in my network. It is used to pass HTTP & HTTPS traffic >>> thru to a Proxy server in the DMZ (running Squid) for Internet access. >>> My understanding is that the Global Address Pool is used to perform >>> NAT on the inside interfaces >>> I am finding that the pool of addresses is insufficient for the amount >>> of users I have on the inside. I have about 500+ users on various >>> subnets on the inside but my pool for the DMZ is >>> 192.168.1.20-192.168.1.254 >>> The translation rule on the inside is >>> Original inside:any / 0.0.0.0 Translated dmz1 >>> 192.168.1.20-192.168.1.254 >>> Is there any way to increase this or is there a better way to handle >>> this within the PIX? >>> Cheers, >>> Scott >> hello, >> >> nat (inside) 1 0 0 >> >> global (outside) 1 192.168.1.20-192.168.1.253 >> global (outside) 1 192.168.1.254 >> >> or as you said its dmz int >> >> global (dmz) 1 192.168.1.20-192.168.1.253 >> global (dmz) 1 192.168.1.254 >> >> so you have both NAT/ PAT configured, once the NAT address are used it >> would start using the PAT on (192.168.1.254) which can handle upto >> 65535 connections. >> >> hope this link would of some helphttp://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_n... >> >> Thanks- Hide quoted text - >> >> - Show quoted text - > > This is what I have, as you can see the Global NAT Outside is using a > real IP > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > nat (dmz1) 0 access-list dmz1_outbound_nat0_acl > nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0 > global (outside) 1 203.59.123.43 > global (inside) 1 192.168.100.200-192.168.100.220 netmask > 255.255.255.0 > global (dmz1) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0 > > Will it still work as you have outlined? > > Scott Your NAT ID will tie up with your Global ID. e.g. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 + global (outside) 1 IP-ADDRESS are linked together by the NAT / Global ID of 1. You can substitute IP address for a single IP address (=PAT), the word 'Interface' (=PAT) or range of addresses as well as other options. Similarly hosts on the DMZ would be able to use their NAT ID, in your example nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0, to talk outbound to the Internet using a matching global statement with the same ID. If you have inside users talking to a proxy on the DMZ and lack of addresses, PAT the IP's to a single IP address = the DMZ interface when traffic flows through the inside of the firewall onto the DMZ. The Proxy will then open up a connection to the internet using its NAT & Global ID pairing. e.g Examples, not the way I am suggesting you do it but just an explanation: nat (inside) 1 0 0 global (dmz1) 1 interface Is the same as writing PAT any source address on the inside interface to the dmz1 interface address as the packet goes through the firewall. nat (dmz1) 1 0 0 global (outside) 1 interface Is as above but you are nating all traffic from your DMZ1 hosts to the outside interface. It is unlikely that you will want to PAT all addresses so look up other examples say static NAT, policy NAT etc. Also read more examples of natting and patting between 2 x interface & 3 x interface firewalls etc. Cisco will have lots of WWW pages on this. You can then determine how you want to set up your NAT and Global ID pairs. Regards Darren
|
Pages: 1 Prev: reverse route injection maintenance Next: AS 5400 Secure implementation or Security Policy |