Per-user NAT IP address assignment in PIX. Please help!!

Hello all,

I need to perform a per-user NAT translation and can't figure out if
this can be accomplished with PIX and ACS :

When an authenticated user gets access to my inside network, I need to
perform NAT to assign each one an specified IP address, maybe storing
the address in each user or group profile in ACS.

This is because of requirements of a web application inside the
firewall, which performs authentication based on IP -no way to change
this app.

Any suggestions, on whether this can be accomplished or definitely
not, would be very appreciated.

Thanks a lot.

A. Arias.

 

Hi Antonio,

I don't believe NAT alone is going to do what you need, other than provide a
mechanism for a translation from an outside address to an inside address.

However, you might look into 802.1x Authentication as it provides some
per-user dynamic ACL capabilities. The documentation indicates 802.1x can
pass per user information such as an IP address from a Radius server, which
can be dynamically assigned to create an ACL on a multi-layer switch.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/sw8021x.htm#wp1096673

Once assigned, I'm wondering if an ACL such as this can be used somehow with
NAT or DHCP to provide a pre-assigned or re-assigned inside network address
to an authenticated user.

This is an attempt at brain storming however and may not bear much
resemblance to the real world. But it might make a good research item for
yours or similar projects.

FWIW,
Bob

 

Bob,

Thank you for your suggestions, i'll have a look at 802.1x, although
I'm afraid it isn't supported by PIX yet, only switches / WLANs.

Guess we will have to develop st using ipchains / apache.