I asked this question a few days ago. However, after doing some reading/research I might be better able to properly ask for what I am looking for
In my office I have two subnets 192.168.100.X and 192.168.111.X Originally I had two offices we have since merged into one location. Each of the subnets has a Cisco router. One is a 891 one is a 2901. Each are set up to access the internet on their own. The 2901 series also is setup with VLAN's for my remaining 9 offices.
In my office I have a Linux servers on a separate 192.168.2.X subnet 192.168.2.4 is our internet server 192.168.2.6 is our intranet server.
I have a spare 891 router. I would like to be able to redirect traffic in this location directly to the 192.168.2.X subnet. If I understand correctly I would set each of the subnets 192.168.100.X and 192.168.111.X as Vlans I would assign an address such as 192.168.100.205 and 192.168.111.205 to these subnets
I would set the 192.168.2.X as the WAN port? Assigning it 192.168.2.205
I would use NAT to direct the traffic?
192.168.100.204 would go to 192.168.2.4
192.168.100.206 would go to 192.168.2.6
192.168.111.204 would go to 192.168.2.4
192.168.111.206 would go to 192.168.2.6
Am I correct, or completely going in the wrong direction? Any help is greatly appreciated.
So as I understand it using 192.168.100.x as an example you want -
when any 192.168.100.x clients sends traffic to 192.168.100.204 that goes to the new router and is translated to 192.168.2.4 and then sent to the internet server.
And the same for 192.168.100.206 and 192.168.2.6 ?
If so this may be possible but I need to lab it up.
The issue is that you are going to be translating the same IPs (192.168.2.4 and 192.168.2.6) to two different IPs each and the router may not like that although I seem to remember there is a way to do it.
I am assuming you don't care with interface is inside or outside in relation to NAT on the new 891 ?
Can you confirm that the above is what you want to do ?
Why do you need to NAT the traffic that's going to your DMZ servers?
Also, I would be wary of setting things up like this. Your internal networks don't have much protection from your DMZ servers if they are connected directly to that 891, especially if you have to put static routes on them as Jon has mentioned.
I would install the 891 as you've shown and just route all 192.168.2.0 traffic to the protected interface of the firewall. Assuming the firewall can do basic routing, it should be able to correctly route back to subnet C by going through the new 891.
That's a very good point about the internal networks and the DMZ servers.
I was so focussed on the NAT side of things I didn't consider that at all.
I also didn't spot that the firewall had an interface in the 192.168.100.x IP subnet so I assumed the issue was the 192.168.100.x clients couldn't get to the firewall but they can as the router will simply forward the traffic back out of the same interface.
Which is not something I like doing to be honest but it could be solved by using a new IP subnet between the router and the firewall if needed.
But anyway I like your approach a lot better and I'm going to remove my posts on NAT because you are right it is not the correct thing to do.
Sometimes I get so wrapped up in the details I miss the bigger picture :-)
The use of the 891 depends on your requirements.
I'm pretty sure the 891 can run IOS firewall. A 3 zone setup should be pretty straightforward.
But, it has limitations on throughput since it's a small office device. Depending on the amount of traffic you have on the current firewall, you'll need to determine if an 891 can handle the load. Running security features on routers tends to drop their throughput dramatically.
Have you heard about Meraki, a sort-of recent Cisco purchase? They have a line of security appliances that are very affordable and easy to use. I think the low-end is around $700 and has a pretty good spec. That might be an low-cost option that fits what you need to do.
It seems like you are adding a lot of additional complexity to your network to avoid replacing your firewall. How many users approx. are at your location? Is your organization open to using other firewall solutions that run on commodity/whitebox hardware, so that you can actually replace that faulty device?