05-27-2003 03:12 AM - edited 02-20-2020 10:45 PM
I have a cisco pix 501 firewall and have a network of around 160 nodes. I have a proxy server also with which I connect the LAN to the internet and i use the firewall to have servers behind with Live IPs mapped to them. Now what I want is that if i give the default gateway as the pix on my network the traffic should go to the internet as it originates from pix. in other words i want to use my pix as a proxy also. is this possible ?
Thanks in advance.
Ramesh
Solved! Go to Solution.
05-27-2003 06:50 AM
Ramesh,
As previous posts mentioned, PIX cannot act as a proxy server, it can act as a NAT device that is to hide the private addresses. There is a substle difference between the proxy and the hiding the addresses. Basically doing the same thing execept the way of implementation. You might want to do port redirection if you just want to use a single ip address and hide the rest of addresses. In that way, you just need to share a single ip address and it can be PIX outside interface ip address. Thanks,
Mynul
05-27-2003 04:47 AM
If I understand you correctly, you want to hide the devices on your LAN behind the outside IP address of the PIX?
If this is what you mean, you can use the 'nat' and 'global' commands:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
ps this is not really called proxying, but just NAT (network address translation)
Kind Regards,
Tom
05-27-2003 06:28 AM
By design, PIX falls under the category of 'Stateful Inspection packet filters'. The proxy you are referring to, is the second category of firewalls, called 'Application Proxies'. (Examples: Gauntlet from Network Associates), Symantec Raptor -Enterprise firewall). The final and third category of firewalls are the 'Packet Filters'. (Examples: Cisco IOS routers).
Hope this helps, in further clarifying what Tom has mentioned...
Best regards / Sampath.
05-27-2003 06:50 AM
Ramesh,
As previous posts mentioned, PIX cannot act as a proxy server, it can act as a NAT device that is to hide the private addresses. There is a substle difference between the proxy and the hiding the addresses. Basically doing the same thing execept the way of implementation. You might want to do port redirection if you just want to use a single ip address and hide the rest of addresses. In that way, you just need to share a single ip address and it can be PIX outside interface ip address. Thanks,
Mynul
05-29-2003 10:16 PM
hi mynul,
Thanks for the info.
Ramesh
05-30-2003 02:37 AM
Hi Ramesh,
I think understand your question exactly. I will try to answer you...
Pix can be used as a proxy server as the documentation says it can act as "cut through proxy" by just poinnting the default gateway to PIX and removing the browser settings but I would still recommend you not doing it because you loose on the caching and pre- caching of the visited sites which is supported in other proxy servers like squid proxy which significantly improves the internet response.
Secondly, even if you point to PIX as a default gateway with Nating enabled you can still continue using your older proxy server by configuring your browser connection setting to use it but doing so you will achieve everything as far as NATing and Cacheing is concerned.
It is possible to use in both ways but you have to seee the merits of using it..I strongly recommend you not to use PIX as a proxy as it may increase your internet traffic due to loss of caching.
-Abhi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide