Have a question here for a seasoned PIX person?
Have a PIX 520 with lots of interfaces in at our main building. Also have several remote sites connected with PIX501's on DSL lines. They are configured to encrypt traffic (ipsec) from remote subnets to the main building, and just send their internet traffic out their local DSLs. This is working fine. The catch is, at the main building there is also a port on the big PIX that is connected via a 2611 router to a direct T1 line to another company. My goal is to be able to encrypt and route traffic from the remote offices to the main building, then out the T1 to the other company.
Main PIX: Inside: 10.1.1.0 /24 PrivateT1: 192.168.99.0/24 DMZ: 172.168.20.0/24
Remote PIX: Inside: 10.2.1.0 /24 (and 10.3.1.0 /24 for each additional one, etc)
I've setup quite a few tunnels and such and even gotten ones to go from Remote-Insides to the Main-DMZ without problems. What I need to do here is have Remote-Inside traffic go out on the Main-PrivateT1 interface. The other company requires some static maps from 10.1.1.x to 192.168.99.x for security reasons and some inbound traffic, but otherwise we let it outbound PAT anything not specifically static. The stuff from the Remote sites also needs to show up as a 192.168.99.x address, but it doesn't matter which one(s). The other company only responds to traffic "from" 192.168.99 so there is no option to let the
10's thru unchanged. To further complicate things, the destination addresses at this other company are their own oddball inside IP's. I've taken care of the PIX501's knowing how to route to their IP's and that part is working. However the difference I see compared to the Remote->DMZ session is that the destination isn't a physically connected network to the PIX, but something one hop beyond.I can see in syslog messages that packets from the remote site are coming in and crapping out with "no translation group" as src internet
10.2.1.5, dst 192.168.99.5. I have configured a global (PrivateT1) 1 192.168.99.253 netmask 255.255.255.0 that I thought would handle anything going out the PrivateT1 port. However, the NAT part of this is just nat (inside) 1 10.0.0.0 255.0.0.0.I think the problem is that packets are coming out of the tunnel from the "internet" port (with remote office inside IP's) and thus not being picked up by this NAT statement. I don't think it's possible to say nat (internet) 1 10.2.0.0 /24 as that would be going from a low to a high security port. The PIX has the other company's IPs statically added to its routing table. This works for main building clients just fine. And I don't believe there is any issue traffic going in and out on the same interface, which I know is not possible by design on the PIX.
Is there a way to accomplish what I'm trying to do? The only thing I can think of is some weird backwards static statement from internet>private T1 but this probably isn't safe. I have spare routers if someone can come up with a router on a stick method or maybe some screwball two way NATing?. I still think it can be done with just the PIX tho!
Thanks for any input. Joey