First: The interfaces on the outside's subnet must be within the same IP range or you must manually enter routes to each other in the PIX and the router which isn't the best. Other solution, for the outside subnet, use 172.16.0.254/30 on the router & 172.16.0.253/30 on the PIX. Since this route is more specific than the rest of the 172.16/16 route, i hope the PIX will handle it correctly, like a router.
Second: You need the PIX does proxy-arping to answer to the host's gateway IP address (172.16.0.254). Based on the following excerpt from Cisco's doc : "By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests)." You must make 172.16.0.254 a global address or a static one. I'm not sure if the PIX will accept this, but you can try.
Finally, if the need to keep the router's inside IP address is just to keep host's gateway IP address the same, you can use the global or static hint for proxy-arping and configure another IP subnet, which isn't in conflict with inside range.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...