Our MS Proxy 2.0 Server is sitting between our Internet router and our internal router. It appears that the proxy server is performing NAT and HTTP proxy services. How do we ascertain whether the proxy server is performing NAT, since we are not that familiar with the MS Proxy server?
We are going to put the firewall into the network behind the Internet router, but in front of the MS Proxy server with the proxy on the inside interface. Should we let the MS Proxy continue to perform NAT? If not, what are your reccommendations. Also, what would be the best way to implement this solution quickly?
Last but not least, there are three networks to route to on the inside interface of the firewall, however, two of the networks will not have inbound traffic initiated to devices sitting on the networks, but the third network will have traffic initiated inbound to devices. Can you please make reccommendation(s) on how to handle this?
MS proxy doesn't really do NAT, heres what happens in an MS Proxy environment: Winsock proxy client gets loaded on client PC, this replaces the Winsock.dll with a 'special' proxy version that 'shuttles' all winsock traffic thru the proxy. (notice there need not be a gateway on client machines in a MS proxy environment). When the winsock call gets shuttled to the proxy server, the server uses it Internet NIC to make the commenction to the remote host and recieves the data. The server then passes it to the client. The client never actually talks directly to the remote host, only the proxy server does.
If you are going to keep the proxy you would need to modify the Internet NIC to have an IP on the same sunbet as the inside interface of the PIX and the gateway would be the Inside interface of the NIC. The only reason to keep the Proxy if you put in a PIX is for caching purposes.
The Network question needs to be done as follows: If any machine on any network is going to have internet access, the PIX will need to know how to route the NAT traffic back to it. This is where you would use your 'route inside' statements. For machines that need to have incoming traffic routed to it you need to setup conduits or access-lists to forward the traffic.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...