Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Dynamic Address Translation

Posted on 2005-05-16
1
Medium Priority
?
213 Views
Last Modified: 2010-04-09
In a PIX 515E I have this command:

pixfirewall(config)# global (outside) 1 200.200.1.51-200.200.1.100 netmask 255.255.255.0

To my understanding the above statement displays my public address as a public ip address pool.  Why would I need this and whats the benefits of this?  My goal is this:  

[S0/0 26.21.28.90] Internet Gateway Router [e0/0 200.200.1.49] ->  [outside 200.200.1.50] PIX 515E [inside 192.168.85.17] -> [192.168.85.199] Catalyst Switch -> out to the user network 192.168.85.20-180.

Server example:
Mail Server
Public IP:  200.200.1.52
Private IP: 192.168.85.4

Now, I don't see how that global (outside) command will benefit me or any purpose in my network?
0
Comment
Question by:Pentrix2
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 14015460
When you set a global range, whenever any internal host goes to an external host, then there must be a translation from the internal to a global. Using a range, each internal host gets an independent external global from the pool, until the pool is used up. Basically only 50 of your internal hosts will be able to get out.

For your mail server, you want to set up a static nat translation. Since your selected public IP is also within the pool range, you must exclude that IP from the pool, for example:

global (outside) 1 200.200.1.53-200.200.200.1.100 netmask 255.255.255.0

== the following creates a PAT "overload" so that you can service many many more clients than you have pool addresses
global (outside) 1 200.200.1.51

== assuming that you have something like this:
nat (inside) 1 0.0.0.0 0.0.0.0 0

== add a static for your mail server
static (inside,outside) 200.200.1.52 192.168.85.4 netmask 255.255.255.255

== now you need to add access-list rules, and apply it to the outside interface
access-list outside_in permit tcp any host 200.200.1.52 eq smtp
access-group outside_in in interface outside

>I don't see how that global (outside) command will benefit me or any purpose in my network?
It is absolutely vital to your internal hosts to communicate on the Internet.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question