PIX global pool

Unanswered Question
Apr 3rd, 2007
User Badges:

Network readdress project requires PIX changes. We provide internet access for company w/in our campus (3rd party connect). Currently 3rd party is config'd as "DMZ" on PIX 525.


We provide "network management" to the 3rd party by helping their admin do troubleshooting.


inside: 10.1.1.1 (existing range)

inside: 10.50.1.1 (new range)

outside (3rd party): 172.16.1.1

200 hosts on 3rd party network coming thru firewall


is one-to-one nat the best approach for ease of troubleshooting their connections thru the fw?


OR


is it best to assign a "global pool" of inside addresses (10.50.1.1) to the fw which, when client on outside connects to internet, etc, would get a 10.50.1.x address?


is there a config out there which could help illustrate what i'm trying to acccomplish?


thanks for any info.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Tue, 04/03/2007 - 09:02
User Badges:
  • Cisco Employee,

well does the client just needs inbound access or outbound or both?


Secondly how many clients are there in total ?

tsrader Tue, 04/03/2007 - 09:25
User Badges:

Thanks for your reply.


Total clients: 200


Firewall provides client with internet / server reources (on our side) primarily. Client also has remote users which access their systems in their network...so....


client req's BOTH inbound and outbound access

abinjola Tue, 04/03/2007 - 09:37
User Badges:
  • Cisco Employee,

200 different clients behind the FW...and they needs access from outside world..right..?..you need to make a static xlate rules ..if above is this case.

tsrader Tue, 04/03/2007 - 10:02
User Badges:

Correct on static xlates although access from "outside world" will only be to 10 servers. The rest of connections will from client network TO outside world.


Assuming ip allocation is 10.50.1.0 /24.

allocate 10 ip's for static xlate

other 244 are available


Is this correct commmand to permit client access:


global (outside) 1 10.50.1.0 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

abinjola Tue, 04/03/2007 - 10:28
User Badges:
  • Cisco Employee,

for outbound access use the PAT IP :-


nat (inside) 1 0 0


global (outside) 1 interface

Actions

This Discussion