Our existing firewall is provided and managed by a telco company that also provides a T1 circuit and MPLS. The firewall has a small subnet on the public side and a 10.0.0.0/24 address on the private side. All clients on the LAN use the firewall as their default gateway. Additionally, some of the public addresses are static NATed back to a few servers within the LAN.
Since 1.54mb/s is getting pretty tight for Internet access, we'd like to supplement our connectivity with an inexpensive broadband connection. A cable modem won't come with the SLA of bringing in an additional circuit, but considering the difference in cost, it's something we can live with. The problem is that (obviously) the telco won't allow us to connect another provider into their managed firewall. What I'd like to do is put a secondary firewall (a Linux box with Shorewall) behind the existing firewall. Using three interfaces, I could interconnect the LAN, broadband, and existing firewall. I've read through the multi-ISP docs, but I don't know if the additional layer of NATing (performed by the existing firewall) is going to cause me problems.
What would be the best way to make a "drop in" solution that would not require changes to the existing firewall? Would it make sense to bridge the LAN and existing firewall interfaces?