Global on Pix

When you have a 'global' statement with a range of IPs listed, then when an inside host wants to connect to the outside, the PIX tries to find an available IP in the given range, and the inside host nis then given use of *all* of that IP for as long as it needs it, without any Port Address Translation. The next outgoing host will be allocated the next available IP in the range, and so on.

When there are no further IPs available for exclusive use, then the PIX will look to see if there are 'global' statements that specify a single IP instead of a range. If there are such statements, then [until an IP in the pool becomes available], outgoing connections are not allocated exclusive use of an IP: instead, Port Address Translation takes place, and the connection is granted use only of one port of that IP.

Often use of a single port is enough, but there are some cases when you really need the entire IP, such as if you are using protocols other than TCP, UDP, or ICMP (and even ICMP can get tricky.)

If you show xlate or show local-host you will find that the first two connections that happened to go out were allocated

209.178.198.252 and 209.178.198.253 respectively, and everything after that point was allocated a single port.

Many thanks for clarifying it to me. I hope you mean I can take out the first global (with IP range) without loss of performance.

Regards

No. Port Address Translation is slower than having an entire IP available for an inside host. However, if the number of inside hosts accessing the outside exceeds the number of hosts being allocated exclusive access to an IP (i.e., the number of IPs in the 'global' IP range), then the bulk of the work ends up being Port Address Translation anyhow, and you would probably find it difficult to measure the performance difference.