Question : Problem: 3550 VLAN Routing Puzzle

Names changed to protect the innocent...


            |------------------------------[Cisco 3550 w/ip routing]------------------------------|
            |                                                       |                                                       |
  VLAN1(10.181.219.254)                     VLAN2(172.16.1.1)                             VLAN3(90.0.0.1)
            |                                                       |                                                       |
            |                                                       |                                                       |
    Server1(10.181.219.2)                     PIX506(172.16.1.254)                     Workstation1(90.0.0.55)
     GW:(10.181.219.1)                                    |                                              GW:(90.0.0.1)
Route 90.0.0.0 10.181.219.254                        |
            |                                                   Internet
            |                        
    PIX501(10.181.219.1) <--not authorized to modify config  
            |
            |
      Private Intranet
            |
            |
      Web Server (10.1.1.50)


Ok, if anyone can make heads or tails of my artwork above, here's my problem (aside from my artwork:).

-The 3550 handles the routing between VLANS with a default route pointing to the PIX506
   providing internet access. 0.0.0.0 0.0.0.0 172.16.1.254
-Server1 is a communication server and must have it's default gateway pointing to the PIX501.
-I'm not authorzied to touch the config on the PIX501 but I can add needed routes to
   Server1(Windows 2000).
-Workstation1 must be able to see Server1 so I added a route to Server1 for that (that works fine).
-Workstation1 must also be able to access a browser based application served from the WAN side
   of PIX501 at 10.1.1.50:8787

 The question is how to let Workstation1 access the web app at 10.1.1.50?
 I can make any config changes on any devices except for the PIX501 and down.

 The 3550 is now an EMI image so I can use Policy based routing if necessary. Would be nice however
if a few well placed routes would do the job.

Thanks for any help.

Answer : Problem: 3550 VLAN Routing Puzzle

>I've got (2) unused Pix 501's
I'll bet we can get something going with one of those old 501's...it might be ugly, but it should work...

            VLAN3 90.x.x.x
            |
      --- 3550 ---- vlan 2 --->PIX506--->internet
      |      |
VLAN4    |      VLAN1 10.81.219.0
      |                |       |              |
  PIX501           |     SRV1          PIX501
      |_________|                        |
                                               Target WWW Server

3550:
  interface vlan4
      ip address 192.168.222.1 255.255.255.0
  interface fast 0/X  <== switchport to PIX 501 inside
      switchport access vlan 4
  ip route 10.1.1.50 255.255.255.255 192.168.222.2

New501
  ip address inside 192.168.222.2 255.255.255.0
  ip address outside 10.81.219.X 255.255.255.0  <== whatever IP is available in this subnet
  route inside 0.0.0.0 0.0.0.0 192.168.222.1
  route outside 10.1.1.0 255.255.255.0 10.81.219.1
  sysopt noproxyarp outside
  global (outside) 1 interface
  nat (inside) 1 0 0


Sequence of packet travel:
 Packet source 90.x.x.x destined for 10.1.1.5 WWW server
 PC throws to local default gateway (3550)
 3550 has static route through VLAN4 to PIX501
 PIX501 has static route though outside interface to "untouchable" PIX501 (UT for short)
 PIX501 will nat source 90.x.x.x to become 10.82.219.X
 UT sees local packet, nats/forwards to target WWW server.
 Everyone is happy and no changes were made to UT