Using NAT for Perimeter Protection

About a year ago, we implemented a campus network where none of our computers (including servers) has a public IP address. We use our Cisco PIX firewall to do dynamic and static network address translation (NAT), protecting approximately 1,600 hosts. Our students are protected by the same PIX, but they are on a separate VLAN subnet of our network, which is outside our demilitarized zone (DMZ). The only two devices on our campus that actually have public IP addresses configured on them are our edge router and our firewall. This security solution was relatively easy to set up in our institution. Difficulties arose when we wanted to be an Access Grid site. We learned that the PIX would not handle multicast well. Several network consultants told us they did not think multicast was possible on our campus with our network design. Others said it might be possible, but there was not documentation on the configuration of multicast through a PIX firewall. Over a period of several months, we worked on configuring our network devices to enable multicast.