PIX 515 - to static map users or let XLATE deal with them?

- S
- Scott Townsend
  
  Contact options for registered users
posted
17 years ago

Tue, Jan 23, 2007 2:21 PM

Every once in a while we get issues with users on the inside trying to run Apps that are not allowed and cause a flood of Packets back into the network. All of which are blocked, but still clog's up the line.

I was thinking of Assigning users IP addresses reservations via DHCP on the inside and then mapping the inside to outside addresses in the PIX so I have a 1 to 1 relation to the inside and outside addresses. That way I can quickly figure out who's doing what?

Are there any issues with having lots of "static (inside,outside)" commands in the config? I might want to add 40?

Comments & Suggestions welcome.

Thanks, Scott

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, Jan 23, 2007 4:14 PM

That should be okay, but if you don't need outside initiating to inside, you could consider nat 0 (with no access-list), or you could use static with a netmask, or you could use a "policy static" (a static with an access-list), or you could use seperate nat/global policies for each. If you do use a static with a netmask, note that the PIX will consider the first and last implied addresses to be network base and broadcast addresses and will block traffic from those two addresses unless you specifically static them with a 255.255.255.255 netmask (and then it will whine about overlapping subnets but do the job.)

We dealt with this sort of issue by the simple expedient of assigning everyone a fixed IP address; any host in our network that DHCP's is, by definition, misconfigured and so should not be allowed out.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.