Solved: Re: pix as proxy ?

ramesh.krishnan · ‎05-27-2003

I have a cisco pix 501 firewall and have a network of around 160 nodes. I have a proxy server also with which I connect the LAN to the internet and i use the firewall to have servers behind with Live IPs mapped to them. Now what I want is that if i give the default gateway as the pix on my network the traffic should go to the internet as it originates from pix. in other words i want to use my pix as a proxy also. is this possible ?

Thanks in advance.

Ramesh

mhoda · ‎05-27-2003

Ramesh,

As previous posts mentioned, PIX cannot act as a proxy server, it can act as a NAT device that is to hide the private addresses. There is a substle difference between the proxy and the hiding the addresses. Basically doing the same thing execept the way of implementation. You might want to do port redirection if you just want to use a single ip address and hide the rest of addresses. In that way, you just need to share a single ip address and it can be PIX outside interface ip address. Thanks,

Mynul

View solution in original post

tvanginneken · ‎05-27-2003

If I understand you correctly, you want to hide the devices on your LAN behind the outside IP address of the PIX?

If this is what you mean, you can use the 'nat' and 'global' commands:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

ps this is not really called proxying, but just NAT (network address translation)

Kind Regards,

Tom

sampathsr · ‎05-27-2003

By design, PIX falls under the category of 'Stateful Inspection packet filters'. The proxy you are referring to, is the second category of firewalls, called 'Application Proxies'. (Examples: Gauntlet from Network Associates), Symantec Raptor -Enterprise firewall). The final and third category of firewalls are the 'Packet Filters'. (Examples: Cisco IOS routers).

Hope this helps, in further clarifying what Tom has mentioned...

Best regards / Sampath.

Srengarajan@att.com

mhoda · ‎05-27-2003

Ramesh,

As previous posts mentioned, PIX cannot act as a proxy server, it can act as a NAT device that is to hide the private addresses. There is a substle difference between the proxy and the hiding the addresses. Basically doing the same thing execept the way of implementation. You might want to do port redirection if you just want to use a single ip address and hide the rest of addresses. In that way, you just need to share a single ip address and it can be PIX outside interface ip address. Thanks,

Mynul

ramesh.krishnan · ‎05-29-2003

hi mynul,

Thanks for the info.

Ramesh

a_abhijit · ‎05-30-2003

Hi Ramesh,

I think understand your question exactly. I will try to answer you...

Pix can be used as a proxy server as the documentation says it can act as "cut through proxy" by just poinnting the default gateway to PIX and removing the browser settings but I would still recommend you not doing it because you loose on the caching and pre- caching of the visited sites which is supported in other proxy servers like squid proxy which significantly improves the internet response.

Secondly, even if you point to PIX as a default gateway with Nating enabled you can still continue using your older proxy server by configuring your browser connection setting to use it but doing so you will achieve everything as far as NATing and Cacheing is concerned.

It is possible to use in both ways but you have to seee the merits of using it..I strongly recommend you not to use PIX as a proxy as it may increase your internet traffic due to loss of caching.

-Abhi