The what:
Without going too far into the 'why', here is what I need. I have 3 network segments (192.168.1.0/28; 192.168.2.0/28; 204.x.x.x/26). We have an on-site server on the 204. network owned and operated by a proprietary company. It is all alone and is accessed through a router from the 192. networks. We have two internet gateways (both PIX), one on the 192.168.1.0 network and one on the 204.x.x.x network. The gateway on the 204. network is used solely by the server, and all 192. internet traffic goes out on the 192. gateway. The 192. gateway is a PIX using ACL's to control internet access for all users (we have people that just can't control themselves). Here is where it gets ugly. This 'proprietary company' has decided that some of the machines on the 192. network need to be able to VPN to their off-site server, but they will ONLY let IP's in their range (the 204.) gain access. So here is what I am looking to do. I want all normal internet access to go out the 192. PIX. I want to set up a static route so that any time the VPN IP scheme is accessed, the router will direct THAT traffic out the 204. PIX. Now, because they will only allow traffic coming from their IP scheme, I need to NAT all this traffic from the 192. network going through this to a
204. address. They have made this as difficult as they possibly could on me. Here is what I came up with:version 12.3 service config service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Gateway1721 ! boot-start-marker boot-end-marker ! enable secret 5 ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! no ip domain lookup no ftp-server write-enable ! ! ! ! interface Ethernet0 description connected to EthernetLAN_1 ip address 204.x.x.x 255.255.255.192 ip nat outside half-duplex ! interface FastEthernet0 description connected to EthernetLAN ip address 192.168.1.3 255.255.255.0 ip nat inside speed auto ! ip nat pool net-204 204.x.x.x 204.x.x.x prefix 26 ! ip nat inside source list 1 pool net-204 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 ! router rip version 2 network 192.168.1.0 network 204.x.x.x no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.254 ip route 192.168.2.0 255.255.255.0 192.168.1.100 ip route 192.110.68.0 255.255.255.0 204.x.x.x no ip http server ! snmp-server community public RO snmp-server enable traps tty ! line con 0 exec-timeout 0 0 password login line aux 0 line vty 0 4 password login ! ! end