I have a Pix 501 that I'd like to use to protect our DMZ. The goal is to prove it all works and then we'll purchase a larger pix such as a515 etc.
Basically what I have an ISP assigned /30 and /26 for my use. I'm planning on putting the /30 on the outside interface of the pix and the /26 on the inside. Connected to the inside interface is of course the Pix, and various other servers such as email, squid proxy, sql, ISA (Microsoft shop..bleh). I have it all set up and I have removed all the NAT related statements from the Pix config. I can ping the world from the pix and the world can ping the outside interface of the pix. But the world can't reach any of the DMZ boxen. Of course the pix itself can ping the DMZ boxen without problem. I have opened ICMP to both Pix interfaces and I have ACL's on both Pix interfaces to permit all traffic.
Is it not possible to use a pix basically as a router?
The basic layout is this...
LAN (192.168.10.x) -- DMZ -- Pix -- ISP router -- Internet
I know all the subnets are routed properly because if I put a regular router in to handle the spot the Pix is in things work fine. It's like the Pix isn't pushing the packets through to the DMZ. I set up debug on the pix and I see the packets arriving inward on the outside interface.
Just wondering if I'm trying to do something that isn't supported here. Does a Pix HAVE to nat traffic? I figured that by removing the global, local, and nat statements I'd have basically reduced it to a simple router with some packet filtering and inspection capabilities.