PIX Access-List

Also...Would it be a good idea to use the Established command for incoming ports? All the connections that would be initiated would be started inside on my end.

Paul

So you would want HTTPS connections from the internet to be NAT'd to all workstations in your network?

permit tcp host specific any eq https

No. Besides auth in response to smtp/irc/... established is not needed.

That's not the way Internet is working.

access-list permit tcp host x.x.x.x any eq https

Please note, this is only the ACL, you will still need to create static entries for NAT translations to all hosts you want to NAT for this situation.

If you have a substantial list of hosts, you could use object-groups or use bi-directional NAT statements and a clearly defined nat ACL.

If the connections are established from the inside, there is no need to open 443 (HTTPS) at all. By default, the PIX permits all outbound connections, and blocks all incoming (if initiated from the outside).

If you initiate from the inside, the PIX has a function called the ASA (Adaptive Security Algorithm) which makes a stateful connection ensuring responses to connections established from the inside are permitted back in. For instance, you could have an inbound ACL which denied everything, and connections originating from the inside would permit the return traffic.

The only thing that would need to be configured on a new pix to permit outbound connections would be to setup global NAT settings.

Ryan