I am fairly new to the PIX 501 and so this is the first time I have run up against this type of issue. I have installed a PIX 501 for a client with a small network. The firewall has the 10-user license. Not long after that they had an issue where a user could not connect to the Internet. Near as I could tell this was because of the licensing limitation on the router.
However it's not clear how the ten xlate connections were used up, because their network only has eight computers and one server which communicate through the firewall. They do have a wireless access point, which could cause the number of connections to go over ten.
It also seemed that the server was taking up two licenses because it has both a physical network adapter and a virtual network adapter created by the VPN service (Windows RRAS).
We were able to resolve the issue by shortening the xlate timeout to 15 minutes, removing the wireless access point and disabling the virtual network adapter.
Now my question is:
How do we configure the network so that the virtual network adapter on the server does not make connections through the firewall?
Thanks for any assistance you can provide.
it is possible to make your server virtual ip not use global interface for nat.
your firewall probably nats all inside hosts via outside interface as follow.
global (outside) 1 interface
nat (inside) 1 0 0
above means all hosts behind firewall will be using global interface for outbound internet connections. ok so far this is undertandable and general configuration for your inside folks connecting to internet.
now if you want one system IP address not to use global the make it a no nat host in the firewall.
you can do it like this.
create host localtion and create no nat statement, say your server virtual ip is 10.20.20.20
pdm location 10.20.20.20 255.255.255.255 inside
nat (inside) 0 10.20.20.20 255.255.255.255
0 means no nat, unlike nat inside 1 which is different using outside interface for outbound nat.
after you implement above statements your system virtual adapter ip will not use global outside interface nor have any internet connection.
PLS rate any helpful posts