Just want to make sure before telling a customer to purchase this firewall. Basically this customer uses about 15 subnets (over the course of a couple years has gradually grown needing more and more IPs). But some of his servers, for various reasons, aren't on the same subnet as another server and so when transferring traffic it goes through to my router. My router contains it all in their vlan, but appears to still count it as traffic for them. It's not so simple as it seems for them to change their servers' IPs, so they want to put a firewall in between their switch and my router that does basic static routing. That way the inter-subnet routing is handled by their firewall and my router only gets traffic destined for other networks. They are assured I'm not counting more traffic than they're really using and they get firewall protection.
So I would just assign the PIX a /30 like I would any customer's router and route their subnets to it. Nothing would change on the servers (a critical requirement). They would have the same public IPs and the same gateway. Although they might need to clear their arp caches on their servers as the gateway is now their firewall instead of my router.
Even better would be if the PIX 515E supported ospf in this manner.
Thanks for your responses paresh and CK. Looks great, but I just want to be very clear so I don't steer my customer in the wrong direction. I don't need routing on the inside interface. The servers behind the firewall will have publicly accessible IP addresses. No NAT/PAT involved whatsoever. The firewall will be the gateway (also a publicly accessible IP as the last usable IP in the same subnet of each server's main IP). The firewall will then act as a router and simply route all packets to my router.
So in essence, the firewall will at least provide the exact same functionality as a very simple router.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :