I have a decent amount of knowledge re:IP/routing/etc. but I'd like to pose a question to make sure I understand my situation and handle it correctly.
My existing topology is very, very simple: I currently have a Cisco 1720 provided by my ISP handling Internet connection. A WIC on the router goes to the ISP/Internet and this Router's Ethernet Port goes directly to the outside interface of my Cisco PIX 506E. The inside interface of the 506E is simply connected to the stacked hubs (unmanaged, no VLANs) with the rest of my network -- users and servers, etc. I have a set of 64 public IP addresses available to me from the ISP (xxx.xxx.xxx.128 /26) and the 506E is setup correctly to do what I need it to do in this configuration.
The issue at hand is that a data vendor of mine wants to "hang" his VPN-configured router off my network so that my users can have connectivity to him. (I assume that his router is preconfigured with his networks' VPN information and I just have to set up the route tables to route requests to his specific IP addresses through his router rather than my router.) The question is "How do I get this router integrated into my network?". One important piece of information is that I've got three Dell 3324 Managed Switches (stacked) awaiting deployment -- and I think their VLAN capability is needed here, so that'll work out nicely.
My best guess is that I configure a small 4 port VLAN as the INTERNET VLAN, and the rest of the ports on those switches become my USER or LOCAL or INTRANET VLAN. I'll attach 1)my Internet Router and 2)the vendors' Router (e1) and 3)the 506E (e1) all to the INTERNET VLAN. The other end of the 506E (e0), of course, will go into the USER/LOCAL/INTRANET VLAN. But I have two (and a half) big questions:
1) Does the vendors' router need to have an (e0) interface going into my USER/LOCAL/INTRANET VLAN? Or can the 506E remain the only way out of my users' network to the INTERNET VLAN? (how does the request know which router to go "out" through?) I'm guessing that if I have to connect the vendors' router into my USER VLAN then I'll have to install another Firewall between his router and my USER VLAN for protection (I don't have another Firewall right now, so that's a problem).
2) I've read something about "the 506E cannot route back through the interface which a packet came from". Does this effect me in the new config? Does this mean that I need to put a router between the 506E and the USER/LOCAL/INTRANET VLAN? (I'm guessing "no" -- it's basically the same as my previous config -- (e0) of the 506E attached to the hub (now a VLAN) -- but I'm not sure how the new INTERNET VLAN effects this -- I'm thinking that there might be an issue because I know you need to route between VLANs and I know the 506E is not a true router.
3)Lastly, if I do set up the two VLANs, do I need to do any subnetting? As you may or may not be able to tell, I'm very new to VLANs and, in general, haven't messed with network configurations (at this level) in a number of years. I need someone to give me a little brush-up and set me straight on how all of this should work...
Any help with this is greatly appreciated!