PIX global pool

Unanswered Question
Apr 3rd, 2007

Network readdress project requires PIX changes. We provide internet access for company w/in our campus (3rd party connect). Currently 3rd party is config'd as "DMZ" on PIX 525.

We provide "network management" to the 3rd party by helping their admin do troubleshooting.

inside: 10.1.1.1 (existing range)

inside: 10.50.1.1 (new range)

outside (3rd party): 172.16.1.1

200 hosts on 3rd party network coming thru firewall

is one-to-one nat the best approach for ease of troubleshooting their connections thru the fw?

OR

is it best to assign a "global pool" of inside addresses (10.50.1.1) to the fw which, when client on outside connects to internet, etc, would get a 10.50.1.x address?

is there a config out there which could help illustrate what i'm trying to acccomplish?

thanks for any info.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Tue, 04/03/2007 - 09:02

well does the client just needs inbound access or outbound or both?

Secondly how many clients are there in total ?

tsrader Tue, 04/03/2007 - 09:25

Thanks for your reply.

Total clients: 200

Firewall provides client with internet / server reources (on our side) primarily. Client also has remote users which access their systems in their network...so....

client req's BOTH inbound and outbound access

abinjola Tue, 04/03/2007 - 09:37

200 different clients behind the FW...and they needs access from outside world..right..?..you need to make a static xlate rules ..if above is this case.

tsrader Tue, 04/03/2007 - 10:02

Correct on static xlates although access from "outside world" will only be to 10 servers. The rest of connections will from client network TO outside world.

Assuming ip allocation is 10.50.1.0 /24.

allocate 10 ip's for static xlate

other 244 are available

Is this correct commmand to permit client access:

global (outside) 1 10.50.1.0 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

abinjola Tue, 04/03/2007 - 10:28

for outbound access use the PAT IP :-

nat (inside) 1 0 0

global (outside) 1 interface

Actions

This Discussion