Pix 515E firewall inside traffic monitoring and control

20 pts.
Tags:
Firewalls
PIX 515E
Routers
First of all thanks Mr. Layer9 for your such a nice and helpful participation in this question. By reading all this, I also got some questions in mind to ask from you. I hope you will please me. I have pix firewall 515e with Cisco router 2600 series, in fact I want do two tasks on it, first that how can I stop maximum P2P connections through it and second that how can I monitor my inside interface users through it. Is it possible that I can use a transparent proxy (squid) through it? In your previous mentioned answer you said that one can restrict inside users to a proxy address by changing the value oh NAT (inside) 0 0 to your proxy address, but when I consoled my pix, I saw some thing different like NAT (inside) 1 0.0.0.0 0.0.0.0 0 0. So how can I do it and please explain above command as well. Thanks!
Asked: Last updated:
Related Questions
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you want to filter p2p, you can do this either on the router or on the pix. I answered how this is done on a router, here.
To do this on a pix is a bit differen. you’ll need to tell us what version of the pix os you have ( do the show version) command

You don’t need another proxy to do accounting. You’ll need to simply set up your nbar or flow monitoring on the router. I know the pix v7.0+ allows flow based policies(eg filter all kazaa traffic or youtube.com destination traffic)
I’m not sure if you can export it to a netflow collector like ntop from the pix.

Here’s an example of how you do it from the router.
Router(config-if)# ip route-cache flow

Router(config)# ip flow-export destination 172.17.246.225 9996

Router(config)# ip flow-export version 9

Router(config)# ip flow-export source loopback 0

Finally your NAT 0 eschews translation, NAT 1 command will not do anything unless its paired with a “global 1” command. Look for that in your config and you’ll see where your traffic is being pat’ed to. Alternatively you might see a static (interface, interface) IP iP command. That is a static NAT command.

Let me know if this helps

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: