Here is my situation. I have a 506e PIX at one side and a 2801 with the security-enabled IOS at the other side. The site with the 2801 is connected to the internet with a T1. At a later time, I may want to add a DSL to provide some redundancy, but not yet. The site with the 506e is actually residing within a colocation center and is fed with a 10mbps ethernet connection.
Lets call the PIX side, Site A and lets call the 2801 side, Site B.
Now here are the questions.
The presumed configuration for the pix will look like this:
1) ACL 102 used to filter the NATing -- the goal is to exempt site A internal traffic from NAT so long as its destined fro site B's internal network. Am I using the correct statement here? Could NAT 0 and NAT 1 be combined somehow?
2) ACL 115 defines what is interesting enough to pass the VPN. Should it then be assumed that all other traffic will leave the router via the default route in an unencrypted format? I.e. Site A's internal hosts will be able to reach the internet with no problem? Basically, will the pix be clever enough to split the traffic and still provide dynamic ACLs w/ PAT for internet access at site A?
3) At site B the configuration will be slightly different since its the router ios not the pix. Thats of no concern. That site is using a T1 to connect to the internet. Can I simply use a default route like this --> ip route 0.0.0.0 0.0.0.0 s0/1 ??? In my mind that directs traffic out the s0/1 interface but it doesnt name a next hop ip. Is this valid or will I need to obtain a next hop IP from the ISP?
4) And finally my last question (thanks for all your help). I am exempting the internal networks from NAT. I want Site A local addresses to show up as exactly those addresses when they enter site B. What makes this possible is the IPSEC vpn. Theres no NAT, theres no routing protocols (only static routes). So is there any reason I'd need to use GRE Tunnels? No multicast traffic, no NAT (on very specific traffic).