Pix Configuration Problem

[Chris <puetzc () yahoo com>]

Hi all,
I have to configure a brandnew Cisco Pix Firewall but
run into problems.
We have a class C IP address network (yes, we use real
IP addresses / was that way before I joined the
company). We have 2 routers setup as gateways (one
goes to the internet and the other goes to our HQs. No
subnetting in place and I would loose to many IPs if I
use subnetting.

I'd like to use dummy IPs on the inside of my firewall
(192.168....) and put the real ones on the outside.
With NAT or PAT configured things should work OK. My
Pix also has an additional interface to setup a DMZ
for our web server / email server.

Now comes the problem and I do not know if I can work
it out.

First of all - all network clients need to have access
to the internet - I want to configure this as the
default route on my Pix. I also have two groups of
machines on the inside of my network. Both groups need
to access the second router to go to our HQs. They
(our HQs)have an additional firewall with rules setup
on their site that routes group 1 (group 1 from my
network) to their destinations and that routes group 2
(of my network) to a different destination. The router
2 on my site is pre-configured and it is not an option
to make changes. It is also not an option to have the
rules on the other site at our HQs to be changed.

How can I configure this situation that 
a) the IP address translation puts different IPs on
group 1 and 2? I could make 2 different pools but how
do I tell the Pix which inside IP address goes to
which outside pool?

and 

b) How do I tell both groups not to use the router 1
(Internet)as a gateway but to go to router 2 (linking
to HQs) as a gateway when accessing specific IP
addresses at our HQs? Currently I have specific
routing setup (routing entry is on each client / batch
file and login script) so that if my clients need to
access a machine at our HQs they go to the router 2
and completely bypass router 1. Where would I place
this additional route to tell them "Go to router 2 if
IP xyz is destination - do not go to router 1!"?

Keep in mind - all IPs are currently real class C IP
addresses - no subnetting in place. Any help is
appreciated!! Thanks for your help in advance!



__________________________________________________
Do You Yahoo!?
Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards