Per-user NAT IP address assignment in PIX. Please help!!

Discussion in 'Cisco' started by Antonio Arias, Jun 13, 2004.

  1. Hello all,

    I need to perform a per-user NAT translation and can't figure out if
    this can be accomplished with PIX and ACS :

    When an authenticated user gets access to my inside network, I need to
    perform NAT to assign each one an specified IP address, maybe storing
    the address in each user or group profile in ACS.

    This is because of requirements of a web application inside the
    firewall, which performs authentication based on IP -no way to change
    this app.

    Any suggestions, on whether this can be accomplished or definitely
    not, would be very appreciated.

    Thanks a lot.

    A. Arias.
     
    Antonio Arias, Jun 13, 2004
    #1
    1. Advertisements

  2. Hi Antonio,

    I don't believe NAT alone is going to do what you need, other than provide a
    mechanism for a translation from an outside address to an inside address.

    However, you might look into 802.1x Authentication as it provides some
    per-user dynamic ACL capabilities. The documentation indicates 802.1x can
    pass per user information such as an IP address from a Radius server, which
    can be dynamically assigned to create an ACL on a multi-layer switch.

    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/sw8021x.htm#wp1096673

    Once assigned, I'm wondering if an ACL such as this can be used somehow with
    NAT or DHCP to provide a pre-assigned or re-assigned inside network address
    to an authenticated user.

    This is an attempt at brain storming however and may not bear much
    resemblance to the real world. But it might make a good research item for
    yours or similar projects.

    FWIW,
    Bob
     
    Bob by The Bay, Jun 13, 2004
    #2
    1. Advertisements

  3. Bob,

    Thank you for your suggestions, i'll have a look at 802.1x, although
    I'm afraid it isn't supported by PIX yet, only switches / WLANs.

    Guess we will have to develop st using ipchains / apache.
     
    Antonio Arias, Jun 15, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.