1. Home
  2. Cisco Systems
  3. PIX & Global Address Pools

PIX & Global Address Pools

Hi I have a PIX in my network. It is used to pass HTTP & HTTPS traffic thru to a Proxy server in the DMZ (running Squid) for Internet access. My understanding is that the Global Address Pool is used to perform NAT on the inside interfaces I am finding that the pool of addresses is insufficient for the amount of users I have on the inside. I have about 500+ users on various subnets on the inside but my pool for the DMZ is

192.168.1.20-192.168.1.254 The translation rule on the inside is Original inside:any / 0.0.0.0 Translated dmz1 192.168.1.20-192.168.1.254

Is there any way to increase this or is there a better way to handle this within the PIX?

Cheers, Scott

Reply to
Scooty
Loading thread data ...

hello,

nat (inside) 1 0 0

global (outside) 1 192.168.1.20-192.168.1.253 global (outside) 1 192.168.1.254

or as you said its dmz int

global (dmz) 1 192.168.1.20-192.168.1.253 global (dmz) 1 192.168.1.254

so you have both NAT/ PAT configured, once the NAT address are used it would start using the PAT on (192.168.1.254) which can handle upto

65535 connections.

hope this link would of some help

formatting link
Thanks

Reply to
networkzman

This is what I have, as you can see the Global NAT Outside is using a real IP

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz1) 0 access-list dmz1_outbound_nat0_acl nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 203.59.123.43 global (inside) 1 192.168.100.200-192.168.100.220 netmask

255.255.255.0 global (dmz1) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0

Will it still work as you have outlined?

Scott

Reply to
Scooty

help

formatting link
>

Your NAT ID will tie up with your Global ID.

e.g. nat (inside) 1 0.0.0.0 0.0.0.0 0 0

+

global (outside) 1 IP-ADDRESS

are linked together by the NAT / Global ID of 1.

You can substitute IP address for a single IP address (=PAT), the word 'Interface' (=PAT) or range of addresses as well as other options.

Similarly hosts on the DMZ would be able to use their NAT ID, in your example nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0, to talk outbound to the Internet using a matching global statement with the same ID.

If you have inside users talking to a proxy on the DMZ and lack of addresses, PAT the IP's to a single IP address = the DMZ interface when traffic flows through the inside of the firewall onto the DMZ. The Proxy will then open up a connection to the internet using its NAT & Global ID pairing.

e.g Examples, not the way I am suggesting you do it but just an explanation:

nat (inside) 1 0 0 global (dmz1) 1 interface

Is the same as writing PAT any source address on the inside interface to the dmz1 interface address as the packet goes through the firewall.

nat (dmz1) 1 0 0 global (outside) 1 interface

Is as above but you are nating all traffic from your DMZ1 hosts to the outside interface. It is unlikely that you will want to PAT all addresses so look up other examples say static NAT, policy NAT etc.

Also read more examples of natting and patting between 2 x interface & 3 x interface firewalls etc. Cisco will have lots of WWW pages on this. You can then determine how you want to set up your NAT and Global ID pairs.

Regards

Darren

Reply to
Darren

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.