PIX global pool

Unanswered Question
Apr 3rd, 2007
User Badges:

Network readdress project requires PIX changes. We provide internet access for company w/in our campus (3rd party connect). Currently 3rd party is config'd as "DMZ" on PIX 525.

We provide "network management" to the 3rd party by helping their admin do troubleshooting.

inside: (existing range)

inside: (new range)

outside (3rd party):

200 hosts on 3rd party network coming thru firewall

is one-to-one nat the best approach for ease of troubleshooting their connections thru the fw?


is it best to assign a "global pool" of inside addresses ( to the fw which, when client on outside connects to internet, etc, would get a 10.50.1.x address?

is there a config out there which could help illustrate what i'm trying to acccomplish?

thanks for any info.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Tue, 04/03/2007 - 09:02
User Badges:
  • Cisco Employee,

well does the client just needs inbound access or outbound or both?

Secondly how many clients are there in total ?

tsrader Tue, 04/03/2007 - 09:25
User Badges:

Thanks for your reply.

Total clients: 200

Firewall provides client with internet / server reources (on our side) primarily. Client also has remote users which access their systems in their network...so....

client req's BOTH inbound and outbound access

abinjola Tue, 04/03/2007 - 09:37
User Badges:
  • Cisco Employee,

200 different clients behind the FW...and they needs access from outside world..right..?..you need to make a static xlate rules ..if above is this case.

tsrader Tue, 04/03/2007 - 10:02
User Badges:

Correct on static xlates although access from "outside world" will only be to 10 servers. The rest of connections will from client network TO outside world.

Assuming ip allocation is /24.

allocate 10 ip's for static xlate

other 244 are available

Is this correct commmand to permit client access:

global (outside) 1 netmask

nat (inside) 1 0 0

abinjola Tue, 04/03/2007 - 10:28
User Badges:
  • Cisco Employee,

for outbound access use the PAT IP :-

nat (inside) 1 0 0

global (outside) 1 interface


This Discussion