RE: PIX firewall global command

[Rudy_D_Pereda () mail dbf state fl us]

I appreciate the quick response very much. I also found out that the
version of software I'm running does not support multiple global statements
per interface. I'm running PIX version 4.4 and the versions that support
multiple global statements start at version 5.2.

At any rate, I appreciate the explanation.

...Rudy.



                                                                                                                        
                      
                    Jonathan                                                                                            
                      
                    Rozes                To:     "'Rudy_D_Pereda () mail dbf state fl us'" <Rudy_D_Pereda () mail dbf 
state fl us>,                 
                    <jrozes@vinto        firewall-wizards () nfr com                                                    
                         
                    n.com>               cc:                                                                            
                      
                                         Subject:     RE: [fw-wiz] PIX firewall global command                          
                      
                    11/09/2001                                                                                          
                      
                    12:08 PM                                                                                            
                      
                                                                                                                        
                      
                                                                                                                        
                      




Hi Rudy,

I'm not entirely sure of the topology you are describing - do you have two
networks behind your PIX that each need to access remote sites through the
outside interface using different nat addresses? In any case, the global
and
nat commands work together with a nat id. Let's say you want the systems on
the network 10.1.1/24 to use the nat address 10.4.4.4 and the systems on
network 10.1.2/24 to use the nat address 10.4.4.5. You should be able to do
that like this:

global (outside) 1 10.4.4.4 netmask 255.255.255.0
global (outside) 2 10.4.4.5 netmask 255.255.255.0
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (inside) 2 10.1.2.0 255.255.255.0 0 0

The nat ids are specified in the third field of each command (I used 1 and
2
above). Nat ids can be any positive integer between 0 and 2 billion. Beware
that id 0 has a special meaning though - it specifies addresses that should
be exempted from translation. Access control would still be accomplished by
applying access lists to specific interfaces.

Hope this helps...

jonathan

+++ Jonathan Rozes, Systems Architect, Will Vinton Studios


> -----Original Message-----
> From: Rudy_D_Pereda () mail dbf state fl us
> [mailto:Rudy_D_Pereda () mail dbf state fl us]
> Sent: Thursday, November 08, 2001 6:54 AM
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] PIX firewall global command
>
>
> I have two different groups that need access to a secured
> site. I've been
> given two IP addresses to use for translation.
> My question is: How can I setup two global statements with
> different Nat
> IDs to allow the different groups access to specific systems
> on the secured
> site using the given IP addresses?
> By the way, the groups are located in different geographic
> regions and all
> must come across a frame-relay network.
>
> Any help will be highly appreciated.
>
> ...Rudy Pereda
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards