Same static NAT on two firewalls...advice needed

Unanswered Question
Mar 13th, 2007
User Badges:

I need to double check if my thinking is correct regarding this.

I plan to migrate my firewalling from a Pix525 to a FWSM. Both these are operational today the Pix is serving client dynamic PAT, VPN termination and incoming server access and the FWSM is serving our wireless network with Internet connectivity. Both firewalls are connected to the same subnets internally and externally

My idea is to move all statics and NAT/PAT entries from the Pix to the FWSM and route the traffic in our backbone router to the FWSM.

My concern is how to handle the static entries to some of our servers. These servers are accessible by our partners using external IP over VPN terminated at the PIX, at the same time the external IPs of these servers are used by some suppliers to permit direct access to their systems without VPN. None of these settings can be changed easily. Is it possible for me to route unencrypted traffic to the static on the FWSM and the on to the Internet and route traffic destined for the VPN to the PIX and use the same static IP?

My feeling is that this should work since the PIX will only communicate over VPN and the FWSM will handle all other traffic.


Fredrik Hofgren

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fmeetz Wed, 03/21/2007 - 08:01
User Badges:
  • Bronze, 100 points or more

To my knowledge, it wil work because the PIX will do send the packets through the VPN connection, but the FWSM handle the other data traffic.


This Discussion