can a 1605 router forward traffic to a different subnet?

I have a site in north carolina, its network infrastructure document is as in the attachment.

I got a disaster from that site. The firewall device PIX5505 was dead totally. The only think I know for that device is its internal IP If I plan to buy another device with the same  model, how could I make the configuration.

Also, the following is my understanding of the diagram, is it correct? Expecially about the 1605 router's function. Does it have the ability to receive traffic from network and forward them to network in our headquarter?

From the document I have, I believe the PIX5505 which was dead already had been working as both firewall and gateway. All desktop traffic would be sent to PIX5505 first, then it decided if the traffic would go to the internet through T1 router (provided by Paetec) or should forward to internal router 1605. Also I am not sure how 1605 router forwards internal traffic to Bradford since there is only one cable connects it. The only time it's working by using one cable is the original network and destination network are on the same network. In our case, the network in NC is, the one at  Bradford is I am not sure if it can achieve it.
Jason YuAsked:
Who is Participating?
surbabu140977Connect With a Mentor Commented:
First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)

Second Question, is it a  1605-R series router? What IOS are you having there?

It will be possible to use the 1605 router but security compliance will not be there like pix. This router may or may not support your actual data flow (1605 is not so powerful). But since you are having a T1 so it might not be an issue.

If you do not have any backup config, it will be a fresh startup. Even with the backup of pix, things might look not so simple.

Things will not look good if you ask 1605 router to do internal routing as well as act as the wan gateway with security. You might end up with more problem than solution.

Jason YuAuthor Commented:
sorry, I forgot to attach the diagram.
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.

But as far as security or pix config is concerned, cannot comment on that. It will not be wholly replicable in 1605.

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Jason YuAuthor Commented:
hi, all, thank you for your reply.

---------For the first question, to be honest, I don't understand it either. Could I disconnect it without any impact?
"First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)"

---------For the second question.
Yes, it's 1605 router. The version information is as follows:

NC-1605#show version
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.1(5)T6,  RELEASE SOFTWARE (fc1)
TAC Support:
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Fri 30-Mar-01 05:03 by ccai
Image text-base: 0x02005000, data-base: 0x02606324

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T,  RELEASE SOFTWARE (fc1)

NC-1605 uptime is 8 hours, 10 minutes
System returned to ROM by power-on
System image file is "flash:c1600-y-mz.121-5.T6"

cisco 1605 (68360) processor (revision C) with 12288K/4096K bytes of memory.
Processor board ID 22638291, with hardware revision 00000003
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
System/IO memory with parity disabled
8192K bytes of DRAM onboard 8192K bytes of DRAM on SIMM
System running from RAM
7K bytes of non-volatile configuration memory.
8192K bytes of processor board PCMCIA flash (Read/Write)

Configuration register is 0x2102


---------------For this site, we have a fail-over setup, we have a T1 provided from Paetec and a DSL provided by another company.  When we have T1 problem, we will transfer traffic to the DSL. We achieve this switch by reset routes on both Headquarter's firewall and this 1605 router. If you guys need detail, I can upload the configuration commands here.

Now, the problem for me is I need recover the old settings on the new PIX 5505 firewall. I am not sure if the Pix IP ( or written on the document is the WAN ip of the old PIX 5505 appliance. Anyone can help me verify this?

Jason YuAuthor Commented:
Hi, surbabu140977, I couldn't understand some of your points.

For the 1605 router, there are four posts on it. From the left to right:

1. 10 Base T
2. Ethernet 0
3. Ethernet 1 10 base T
4. Console

Do you mean I need connect Paetec router to E0 and set up WAN IP on E0? Also, I need connect the Lan cable to E1, (do I need set up LAN IP on E1 interface)? thanks.

You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.
You have only basic IP IOS image in 1605 router. That might not suit well for your purpose.

From Paetec, yes the second link I think can be disconnected. But again, we can speculate only. But it's upto someone at the site to verify if it's doing any good or not. May be at the switch, the very particular port of that cable might reveal something.

You can forget about the pix because right now there is no way to put that config anywhere. Your router won't support. You said it's down. Is it hard down? How will you recover?

You have 2 ethernet ports. E0 and E1. (both are 10base T). You should be avoiding using those. So in short that router won't serve you any good.

There is one serial wan interface slot. You have to contact paetec if they will support it. (proper cable for T1).

If paetec says yes, then that wan can be used and E0 or E1 can be plugged to your lan. We will help.

But avoid using that router. As said earlier, it's old and hardware not enough for your job. IT will create a big lot of issues.

Do not allow anyone to use that E0 or E1 for WAN.

Jason YuAuthor Commented:
ok, I purchased a sonicawall TZ215 for that site and configured it as below.

I hope after I ship the appliance to North Carolina , it can work.

the ip address is as follows, could you help me check it?

on my old record file, I saw one line "PIX global" and "Pix". I got confused by these two ips, don't know which one the old firewall used for the WAN port.

WAN Interface:
Static mode
Subnet mast:
Default Gateway:

DNS Server:

LAN Interface
Static IP Mode
Default LAN
Most likely wan ip was and  "PIX global" was used for NAT/PAT in the Pix. But there is no harm now if you use alternately because you have the full Ip range from - available. You can use anything in between for anything. It's a fresh new config and it's all yours. : )

No need to use separate IP, you can use the WAN IP as global and do the natting.

I think you may have missed the nat config in your firewall. Without it your inside lan will not be able to connect to internet. (did not see you mentioning NAT)

Jason YuAuthor Commented:
HI, surbabu, I sent out the new sonicwall TZ215 there and installed it well. It is working now.
I will check to see if I need set up proxy on the firewall. We have a proxy linux server at that site, if I want to still use that proxy server, do I need route all internet trafic to that server?

No, Just go into the browser(IE or Firefox) of the PC's and type the proxy IP there.

In Firefox it's under Edit-->Preference-->Advance-->Network tab.

In Internet Explorer, it's under  tools-->Internet options-->connection tab.

The proxy server IP should be natted in your firewall, else connections won't go out.

You can also put IP directly in the server and all lan traffic should get routed through the firewall to the proxy and then again back to firewall for internet, but it's not very best design to route unnecessarily every traffic.

Some people also put a dual NIC and put one lan IP and one wan IP also. It's your choice.

Jason YuAuthor Commented:
Got it solved, we will implement the proxy control through sonic.
Jason YuAuthor Commented:
Very good reply.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.