We currently have only one outside interface on our corporate (head office) PIX. Were planning on adding an interface for incoming traffic and a separate one for outgoing. I would like to force all IP traffic from our remote office through our Pix-to-Pix tunnel. Currently, interesting (non-translated) traffic between the two networks terminate on the single outside interface on our head office PIX and Internet traffic is handled by the remote DSL router. I want the remote users to terminate all traffic on one outside interface on the head office PIX and then go out the other for their Internet access as well. And let's make it more difficult - I want to filter their URL access, which is currently handled for inside users by a server (SurfControl) attached to the head office inside interface of the PIX via a hub.
The easiest part is tunneling all your remote office traffic to the central office outside interface. Though it's not exactly recommended due to the high load it will put on your router, it could be done. Once the traffic reaches the PIX and is decrypted by it, the issue reduces to that of routing the traffic. That again can be achieved using simple static routes. Assuming that your Central office inside network is addresses 10.1.0.0 /24 (inside interface) and Remote office 10.2.0.0/24 (say DMZ1 or Remote Office 1), you could have a static route pointing in (route (inside) 10.1.0.0 255.255.0.0 10.10.10.2 ), another static route pointing to your remote office and finally a default to your internet on your outside interface. When it comes to the question of URL filtering, things start getting tricky. You would need to install a seperate server for that. Permitting all your remote office traffic to be filtered by a device on the inside interface of your central office is not a great idea. I guess a better thing to do would be to filter traffic from a given site locally.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...