RE: PIX config problem

From: Greene, Patrick (pjgreene@infotechent.net)
Date: Wed Jun 05 2002 - 12:06:21 EDT


The PIX is not a router...that's what you are asking it to do.

Sincerely,
Patrick J Greene
 
    

-----Original Message-----
From: Michal Mertl [mailto:mime@kpnqwest.cz]
Sent: Monday, June 03, 2002 7:08 AM
To: cisco-nsp@puck.nether.net
Subject: PIX config problem

I'm building IPsec VPN using PIX 515 as hub a 1751 a spokes. I want to centralize all Internet access on PIX. I have 3 interfaces on the PIX - private network of HQ, DMZ and external. I thought I would configure the tunnels on PIX, the decrypted traffic would than be routed - when destined for Internet PAT translated. It seems it may not be possible to configure according to "Cisco Secure PIX Firewall FAQ" and question 'Can I operate the PIX in a "one armed" configuration?'.

The error I get is "106011: Deny inbound (No xlate)
icmp src outside:10.1.0.2 dst outside:aa.bb.cc.dd (type 8, code 0)".

The topology of the hub-site is this (numbers are security levels):
Internet--<router>--outside(0)--<PIX>--DMZ(60)
                                  |
                               inside(100)

After more diging the docs seem to indicate that it's impossible to build hub and spoke network where everyone can communicate with each other with PIX (http://www.cisco.com/warp/public/110/pixhubspoke.html). I find it hard to believe. Please tell me that's not the case or I'm completely screwed.

I've already found that Internet access is possible with four interfaces.

-- 
Michal Mertl
Specialist IP Service Development
KPNQwest Czechia s.r.o.
GTS Czech a.s.
Vinohradska 184
130 52 Praha 3
Tel.: +420 2 96157111
Fax: +420 2 96157444
e-mail: Michal.Mertl@kpnqwest.cz ____________________________________________
Počínaje datem 1.5. 2002 došlo k provoznímu
sloučení společností KPNQwest a GTS



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:46 EDT