Hi I have a PIX in my network. It is used to pass HTTP & HTTPS traffic thru to a Proxy server in the DMZ (running Squid) for Internet access. My understanding is that the Global Address Pool is used to perform NAT on the inside interfaces I am finding that the pool of addresses is insufficient for the amount of users I have on the inside. I have about 500+ users on various subnets on the inside but my pool for the DMZ is
192.168.1.20-192.168.1.254 The translation rule on the inside is Original inside:any / 0.0.0.0 Translated dmz1
192.168.1.20-192.168.1.254
Is there any way to increase this or is there a better way to handle this within the PIX?
You can substitute IP address for a single IP address (=PAT), the word 'Interface' (=PAT) or range of addresses as well as other options.
Similarly hosts on the DMZ would be able to use their NAT ID, in your example nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0, to talk outbound to the Internet using a matching global statement with the same ID.
If you have inside users talking to a proxy on the DMZ and lack of addresses, PAT the IP's to a single IP address = the DMZ interface when traffic flows through the inside of the firewall onto the DMZ. The Proxy will then open up a connection to the internet using its NAT & Global ID pairing.
e.g Examples, not the way I am suggesting you do it but just an explanation:
nat (inside) 1 0 0 global (dmz1) 1 interface
Is the same as writing PAT any source address on the inside interface to the dmz1 interface address as the packet goes through the firewall.
nat (dmz1) 1 0 0 global (outside) 1 interface
Is as above but you are nating all traffic from your DMZ1 hosts to the outside interface. It is unlikely that you will want to PAT all addresses so look up other examples say static NAT, policy NAT etc.
Also read more examples of natting and patting between 2 x interface & 3 x interface firewalls etc. Cisco will have lots of WWW pages on this. You can then determine how you want to set up your NAT and Global ID pairs.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.