The pix can route between directly attached subnets, so you might not need to tweak the router (it will not need an interface on the dmz because the pix is likely routing to it), rather you might just need to create a vlan on the switch, assign a port to it that the pix DMZ interface plugs into, as well as any other ports for DMZ hosts.
It is not best practice to use the same switch on both inside and dmz networks. Even although there is VLAN segmentation it is still best to use two seperate physical devices to negate the risk of the switch being compromised. Your network should be
The PIX will know where to send the traffic without any changes to your routers. If your pix only has two interfaces it is not possible to implement a true DMZ.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...