Hello, I'm in the process of closing a big hole my predecessor left for me. I maintain a small school district's network that also provides Internet access to our local police. The initial setup was this:
Cisco 2800 Router (provided by ISP, non-configurable) as x.x.x.254 on our Class C.
SOHO hub (don't ask)
Two things, the outside if (x.x.x.250) of the PIX, which links to the primary VLAN (10.1.0.0/16) on the inside if, and a VLAN that the police were already hooked up to (10.7.0.0/16). Already the hole is evident; there's a complete bypass of the PIX available to anyone who can see it.
My first change was to remove the SOHO hub. I created another VLAN for the PIX, 2800, and the police dept. Now my problem stems from the police dept.'s need to get to webmail, as we provide their email accounts as well. The webmail system sits inside the PIX, with a static map between it's private IP and public IP (x.x.x.4), and the necessary ACLs to allow traffic in over port 80. The police dept.'s router/vpn box (x.x.x.100) sits in the same VLAN, subnet, etc., and can see the ISP's router with no problems, gets any Internet traffic they want, and the VPN tunnels are up and running. DNS resolves appropriately, but their systems will NOT go to ANY of my static NAT mappings. x.x.x.3, .4, .5, & .8 are all valid IPs used by the PIX to route traffic in, and from anywhere but the police dept., they work. There is no mention of x.x.x.100 in any of the PIX config, not in the global mappings for dynamic access, not in ACLs.
PIX config attached.