Home > IT Answers > Security > pix 515E firewall inside traffic monitoring and controll
Techartist
20 pts.
 pix 515E firewall inside traffic monitoring and controll
Firewalls, PIX 515E, Routers
first of all thanks Mr. Layer9 for ur such a nice and helpful participation in this question. by reading all his i also got some questions in mind to ask from you. i hope u will please me... i have pix firewall 515e with cisco router 2600 series, infact i wana do two tasks on it, first that how can i stop maximum p2p connections through it and second that how can i monitor my inside interface users through it. is it possible that i can use a transperant proxy (squid) through it, in your previous mentioned answer you said that one can restrict inside users to a proxy address by changging the value oh nat ( inside ) 0 0 to your proxy address, but when i consoled my pix i saw some thing different like nat (inside) 1 0.0.0.0 0.0.0.0 0 0 so how can i do and plz explain above command as well. thanks

Software/Hardware used:
ASKED: February 9, 2008  10:47 AM
UPDATED: February 11, 2008  4:53 PM
RELATED QUESTIONS
Answer Wiki:
If you want to filter p2p, you can do this either on the router or on the pix. I answered how this is done on a router, <a href="http://itknowledgeexchange.techtarget.com/itanswers/limiting-bandwidth-for-streaming-online-audiovideo/">here</a> To do this on a pix is a bit differen. you'll need to tell us what version of the pix os you have ( do the show version) command You don't need another proxy to do accounting. You'll need to simply set up your nbar or <a href="http://www.ciscosystems.cd/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm#wp1031105">flow </a>monitoring on the router. I know the pix v7.0+ allows flow based policies(eg filter all kazaa traffic or youtube.com destination traffic) I'm not sure if you can export it to a netflow collector like <a href="http://www.ntop.org/">ntop </a>from the pix. Here's an example of how you do it from the router. Router(config-if)# ip route-cache flow Router(config)# ip flow-export destination 172.17.246.225 9996 Router(config)# ip flow-export version 9 Router(config)# ip flow-export source loopback 0 Finally your NAT 0 eschews translation, NAT 1 command will not do anything unless its paired with a "global 1" command. Look for that in your config and you'll see where your traffic is being pat'ed to. Alternatively you might see a static (interface, interface) IP iP command. That is a static NAT command. Let me know if this helps
Last Wiki Answer Submitted:  February 11, 2008  4:53 pm  by  Xanader   395 pts.
All Answer Wiki Contributors:  Xanader   395 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _