I need to double check if my thinking is correct regarding this.
I plan to migrate my firewalling from a Pix525 to a FWSM. Both these are operational today the Pix is serving client dynamic PAT, VPN termination and incoming server access and the FWSM is serving our wireless network with Internet connectivity. Both firewalls are connected to the same subnets internally and externally
My idea is to move all statics and NAT/PAT entries from the Pix to the FWSM and route the traffic in our backbone router to the FWSM.
My concern is how to handle the static entries to some of our servers. These servers are accessible by our partners using external IP over VPN terminated at the PIX, at the same time the external IPs of these servers are used by some suppliers to permit direct access to their systems without VPN. None of these settings can be changed easily. Is it possible for me to route unencrypted traffic to the static on the FWSM and the on to the Internet and route traffic destined for the VPN to the PIX and use the same static IP?
My feeling is that this should work since the PIX will only communicate over VPN and the FWSM will handle all other traffic.