I think thats a limitation of the PIX environment. If you've placed the Squid box in a lower security zone then I believe the only way to access it is via a translation rule. Later versions of the ASA software may have different options but I can't at the moment claim to know any better. (I'm organising a small ASA firewall so I can answer/document questions like this from commercial clients.) Adrian 2008/8/8 Thompson, Scott (WA) <Scott.Thompson@xxxxxxxxxxxxxx>: > Hi all > One I would put out there in the hope there might be a better way of > doing this > Currently we have a PIX that does NAT and PAT translations for the users > accessing the internet > All HTTP traffic is passed thru the PIX to a Linux box running Squid on > Ubuntu 8.04 via a Global Address Pool > When the PIX runs out of NAT addresses it does PAT, no worries it all > works OK > When I try and monitor the usage of the Squid server it looks at the > translated IP and uses this for reporting in SARG or Webalizer > When I have multiple systems accessing the net I cannot determine the > true source address only the PAT'd address > > The users exist in multiple subnets and the Squid server is on > 192.168.1.13 which is the DMZ subnet > As Squid uses NT Authentication this is not an issue for users who > authenticate against the Squid server but for users where there is no > authentication all I see is the translated address and for PAT this is > just one IP. I have no way of telling exactly what use it was / is > > > Cheers, > Scott > >
