PIX global pool

tsrader · ‎04-03-2007

Network readdress project requires PIX changes. We provide internet access for company w/in our campus (3rd party connect). Currently 3rd party is config'd as "DMZ" on PIX 525.

We provide "network management" to the 3rd party by helping their admin do troubleshooting.

inside: 10.1.1.1 (existing range)

inside: 10.50.1.1 (new range)

outside (3rd party): 172.16.1.1

200 hosts on 3rd party network coming thru firewall

is one-to-one nat the best approach for ease of troubleshooting their connections thru the fw?

OR

is it best to assign a "global pool" of inside addresses (10.50.1.1) to the fw which, when client on outside connects to internet, etc, would get a 10.50.1.x address?

is there a config out there which could help illustrate what i'm trying to acccomplish?

thanks for any info.

abinjola · ‎04-03-2007

well does the client just needs inbound access or outbound or both?

Secondly how many clients are there in total ?

tsrader · ‎04-03-2007

Thanks for your reply.

Total clients: 200

Firewall provides client with internet / server reources (on our side) primarily. Client also has remote users which access their systems in their network...so....

client req's BOTH inbound and outbound access

abinjola · ‎04-03-2007

200 different clients behind the FW...and they needs access from outside world..right..?..you need to make a static xlate rules ..if above is this case.

tsrader · ‎04-03-2007

Correct on static xlates although access from "outside world" will only be to 10 servers. The rest of connections will from client network TO outside world.

Assuming ip allocation is 10.50.1.0 /24.

allocate 10 ip's for static xlate

other 244 are available

Is this correct commmand to permit client access:

global (outside) 1 10.50.1.0 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

abinjola · ‎04-03-2007

for outbound access use the PAT IP :-

nat (inside) 1 0 0

global (outside) 1 interface