I've got a scenario in which I'm trying to install a Pix 501 at a site that is connected to other sites via a Qwest PRN (private network) VPN.
Currently they provide firewall service on an edge router, but had turned this off so I could install a Pix. I was able to get the Pix fully functional except for one issue. I could not seem to figure out how to allow the other branch offices with private IPs in through the outside interface of the Pix.
Basically, the site in which I'm installing the Pix, has it's internal interface configured with 192.168.0.1 and the outside interface as 65.x.x.x. The Cisco 1720 router in front of the Pix routes public internet traffic as well as private network traffic from 3 other sites (192.168.1.0/24,
192.168.2.0/24,192.168.3.0/24). I added a route to the 1720 so that all 192.168.0.0 255.255.0.0 traffic routes to the Pix. But the traffic stops at the Pix, and I'm not sure what I've got wrong, or am missing. In order to allow the traffic through the Pix, I used the following statement:access-list 110 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.255.0 various other access list commands... access-group 110 in interface outside
All the other access-list statments for allowing public ports inside work fine.
All traffic from the 192.168.0.0/24 network to all the other private networks also works fine.
But no other private networks can get through the Pix.
Can anyone offer any suggestions? Is the access-list statement correct? Is there some other way to accomplish this?
One other note. This has nothing to do with IPSec tunnels, or Pix to Pix traffic.
Thanks.