Can you NAT to a server through a firewall that is not the default gateway?

[JBod]

I have several servers that are NATed through a crappy old PIX on a 100mb internet connection. I am moving the default gateway to a new Juniper for Gig connectivity. Both connections and firewalls will continue to co-exist.

Will the original NAT continue working through the PIX or will the server return path choose the default route and go back to the Juniper thus breaking?

 

[JBod]

The answer is - sort of.

Packets will come in in-bound from the pix then the server will reply outbound from the Juniper, now, sometimes this may work but the behaviour is undefined - i've seen this where pinging one ip ends up getting replies from another one!

There are tricks you can do - including nasty bi directional NAT where you NAT all the inbound packets to appear to come from the firewall - so your servers reply to the local address of the firewall, which the untangles the NAT and replies onto the web - that's not pretty.

If TRX is about he knows quite a lot about this sort of thing...

So bottom line is...no it won't work, not to any satisfactory level anyway.

Yea I have come to this conclusion as well. Looking at the current PIX configuration (which I inherited) it appears that we may only be doing NAT for very specific source blocks, in which case on the few servers concerned I can do static routes back to the PIX.