The PIX is not a router...that's what you are asking it to do.
Sincerely,
Patrick J Greene
-----Original Message-----
From: Michal Mertl [mailto:mime@kpnqwest.cz]
Sent: Monday, June 03, 2002 7:08 AM
To: cisco-nsp@puck.nether.net
Subject: PIX config problem
I'm building IPsec VPN using PIX 515 as hub a 1751 a spokes. I want to centralize all Internet access on PIX. I have 3 interfaces on the PIX - private network of HQ, DMZ and external. I thought I would configure the tunnels on PIX, the decrypted traffic would than be routed - when destined for Internet PAT translated. It seems it may not be possible to configure according to "Cisco Secure PIX Firewall FAQ" and question 'Can I operate the PIX in a "one armed" configuration?'.
The error I get is "106011: Deny inbound (No xlate)
icmp src outside:10.1.0.2 dst outside:aa.bb.cc.dd (type 8, code 0)".
The topology of the hub-site is this (numbers are security levels):
Internet--<router>--outside(0)--<PIX>--DMZ(60)
|
inside(100)
After more diging the docs seem to indicate that it's impossible to build hub and spoke network where everyone can communicate with each other with PIX (http://www.cisco.com/warp/public/110/pixhubspoke.html). I find it hard to believe. Please tell me that's not the case or I'm completely screwed.
I've already found that Internet access is possible with four interfaces.
-- Michal Mertl Specialist IP Service Development KPNQwest Czechia s.r.o. GTS Czech a.s. Vinohradska 184 130 52 Praha 3 Tel.: +420 2 96157111 Fax: +420 2 96157444 e-mail: Michal.Mertl@kpnqwest.cz ____________________________________________ Počínaje datem 1.5. 2002 došlo k provoznímu sloučení společností KPNQwest a GTS
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:59 EDT