Had a question above about this but I think it was too complicated...
Is it possible to have a remote VPN (ipsec) connection hit the PIX via the Outside interface, and have that traffic go to a "DMZ" interface instead of the Inside? Yes.
Now my question is: Is possible to hit networks that are hanging off a router on that DMZ subnet? These route(s) are statically in the PIX routing table as well as the remote PIX's.
I have told the remote PIX to ipsec traffic from inside->far dmz network, The PIX does nat 0 for this of course. Told them the way to that network is via the outside interface of the central PIX. Packets show up on the central PIX but say in syslog "no translation group src internet:10.2.1.5 dst: 192.168.99.5" in other works, ipsec'd packets show up on the internet interface with private IPs from the remote PIX as expected, but then have no where to go.
They have no NAT available, as they need to go to a higher security interface, so that would be backwards. And I can't seem to figure out a working 'static' statement.
I guess I'm having trouble figuring out "where" exactly one of these packet is in the order of processing. I can picture when a packet is coming from the inside interface, or one coming out of the tunnel onto a local network, but cant seem to figure out how to direct it to a close-by routed network!
Any ideas anyone? Joey