Implement PIX without Address Translations? 1

[ex279]

Currently my company does not have a firewall, therefore everyone internally has a public address. I want to continue the use of a the public address internally. I am in the process of implementing a PIX 535. If a user wants to access an external internet resource (pending it is not blocked by an access list on the PIX), I want that user to keep the same address through the PIX. Example: say their address is 155.155.155.164. if they visit a web server, I want that web server log to show the client IP address as 155.155.155.164 and NOT the ip address of the PIX. We are going to deny incoming connections unless they have a static permit statement or if the internal user started the session.

I've been told this is possible, but cannot find any resources. Can someone help?

 

[baddos]

Replace the xxx.xxx.xxx.0 w/ your netblock and this will allow.
static (inside,outside) xxx.xxx.xxx.0 xxx.xxx.xxx.0 netmask 255.255.255.0 0 0

 

[ex279]

Would I still need my globals and nat statements?

global (outside) 1 "IP ADDRESS1"
global (outside) 1 "IP ADDRESS2"

nat (inside) 0 0


Your tell me that all I have to do is:
static (inside,outside) N.N.0.0 N.N.0.0 netmask 255.255.0.0 0 0

and drop the statements above?

 

[themut]

Yeap! A static translation to itself is all you need.