Tracking Hosts in a NAT/DHCP enviroment

I currently maintain a network for a small University that utilizes 9 class C public networks. We use a PIX 515E with NAT disabled. I would like to enable NAT and use the Class C public networks as my global NAT pool. We will also be implementing DHCP inside which will be 192.168.X.X (Divided amongst VLANs). Simple enough right?

The problem is that our Cheif Information Officer would like a way to track any inside host if we sense malicious activity or for any other reason. Right now it is quite easy since we all use static global IP addresses. So how can I track who is who if their IP's are dynamic and they use a dynamic NAT IP every time they pass through the PIX?
mikesparkerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
You can use an external log host that will maintain a record of xlates (nat translations)
If you set DHCP for long or even permanent lease, then you have an easy way to map the translation, or you can do a one-one network translation, i.e.
10.100.100.0 = 150.150.100.0
each host in the private 10.100.100.x subnet will get the same last digit of the public space:
10.100.100.122 = 150.150.100.122 always
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikesparkerAuthor Commented:
I think we will make a DHCP reservation for each host. We will also make static NAT translations for servers, printers, ect. The external log host should cover the rest. We currently have an internal Syslog server. Will that work or do I need something else to log xlates?
0
lrmooreCommented:
The current syslog server should work. You  might want to "turn up" the level of syslogging, and exclude some extra messages that you'll get. I'm not sure if it is Informational or Notification level that will provide the xlates... it might even be debug level....
0
mikesparkerAuthor Commented:
You the man!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.