Global pools on the inside doesn't solve the issues associated with actually
trying to do useful work. The only way to do anything on the inside is to
map the addresses that you want to access on the inside to an outside
address. You'll also have the possibility of ending up with name resolution
issues from outside to inside.
As an addition, if you are going to expose (however minimal the exposure)
your inside address to your outside addresses, I'd like to suggest using a
seperate tacacs server to authenticate people coming through the firewall.
All in all, a better solution is to use the pix to terminate connections
from a VPN client of some sort, and not deal with allowing any type of
un-encrypted or un-tunnelled access across the firewall, at least to
none-dmz machines.
Hope this is a theoretical exercise - letting folks come into your network
deeper than a dmz is never a good idea, no matter how you do it. Anyone
who's worked with IDS at all will be able to vouch for that one.
Andras
-----Original Message-----
From: PSIHOYIOS PANAYIOTIS [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 22, 2001 3:11 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX question... [7:5248]
Hi all,
Just configure the outside interface as you would configure the inside
interface (nat on the outside with a global pool on the inside).
Regards,
=====================================================================
Panayiotis Psihoyios SyNET S.A.
CCNP (Security, ATM), CCDP, MCP 118 B, Agias Eleoussis Street
Network Engineer GR 151 25 Maroussi
email: [EMAIL PROTECTED] Athens - Greece
Tel:++ 301 61 29 500 Fax: ++ 301 61 25 313
=====================================================================
> -----Original Message-----
> From: Rizzo Damian [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 21, 2001 5:16 PM
> To: [EMAIL PROTECTED]
> Subject: PIX question... [7:5248]
>
>
> Hey all, is it possible to translate public IP addresses (outside) to
> private IP addresses (inside) on a PIX firewall. Basically the exact
> opposite of what's usually performed on a firewall. We are
> going to have
> users dial in to our internet router and receive a Public IP
> address. They
> have to get through our firewall to gain access to our LAN.
> Is there a way
> to translate the Public IP address they will obtain into a private IP
> address used by our LAN so they can access it? I thank you
> for your help...
>
>
> -Rizzo
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5411&t=5248
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
