pix 515E firewall inside traffic monitoring and controll

20 pts.
Tags:
Firewalls
PIX 515E
Routers
first of all thanks Mr. Layer9 for ur such a nice and helpful participation in this question. by reading all his i also got some questions in mind to ask from you. i hope u will please me... i have pix firewall 515e with cisco router 2600 series, infact i wana do two tasks on it, first that how can i stop maximum p2p connections through it and second that how can i monitor my inside interface users through it. is it possible that i can use a transperant proxy (squid) through it, in your previous mentioned answer you said that one can restrict inside users to a proxy address by changging the value oh nat ( inside ) 0 0 to your proxy address, but when i consoled my pix i saw some thing different like nat (inside) 1 0.0.0.0 0.0.0.0 0 0 so how can i do and plz explain above command as well. thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you want to filter p2p, you can do this either on the router or on the pix. I answered how this is done on a router, <a href=”http://itknowledgeexchange.techtarget.com/itanswers/limiting-bandwidth-for-streaming-online-audiovideo/”>here</a>
To do this on a pix is a bit differen. you’ll need to tell us what version of the pix os you have ( do the show version) command

You don’t need another proxy to do accounting. You’ll need to simply set up your nbar or <a href=”http://www.ciscosystems.cd/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm#wp1031105″>flow </a>monitoring on the router. I know the pix v7.0+ allows flow based policies(eg filter all kazaa traffic or youtube.com destination traffic)
I’m not sure if you can export it to a netflow collector like <a href=”http://www.ntop.org/”>ntop </a>from the pix.

Here’s an example of how you do it from the router.
Router(config-if)# ip route-cache flow

Router(config)# ip flow-export destination 172.17.246.225 9996

Router(config)# ip flow-export version 9

Router(config)# ip flow-export source loopback 0

Finally your NAT 0 eschews translation, NAT 1 command will not do anything unless its paired with a “global 1″ command. Look for that in your config and you’ll see where your traffic is being pat’ed to. Alternatively you might see a static (interface, interface) IP iP command. That is a static NAT command.

Let me know if this helps

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following