I think thats a limitation of the PIX environment.
If you've placed the Squid box in a lower security zone then I believe
the only way to access it is via a translation rule.
Later versions of the ASA software may have different options but I
can't at the moment claim to know any better.
(I'm organising a small ASA firewall so I can answer/document
questions like this from commercial clients.)
Adrian
2008/8/8 Thompson, Scott (WA) <Scott.Thompson_at_affoods.com.au>:
> Hi all
> One I would put out there in the hope there might be a better way of
> doing this
> Currently we have a PIX that does NAT and PAT translations for the users
> accessing the internet
> All HTTP traffic is passed thru the PIX to a Linux box running Squid on
> Ubuntu 8.04 via a Global Address Pool
> When the PIX runs out of NAT addresses it does PAT, no worries it all
> works OK
> When I try and monitor the usage of the Squid server it looks at the
> translated IP and uses this for reporting in SARG or Webalizer
> When I have multiple systems accessing the net I cannot determine the
> true source address only the PAT'd address
>
> The users exist in multiple subnets and the Squid server is on
> 192.168.1.13 which is the DMZ subnet
> As Squid uses NT Authentication this is not an issue for users who
> authenticate against the Squid server but for users where there is no
> authentication all I see is the translated address and for PAT this is
> just one IP. I have no way of telling exactly what use it was / is
>
>
> Cheers,
> Scott
>
>
Received on Fri Aug 08 2008 - 07:46:07 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 08 2008 - 12:00:03 MDT