Firewall, DMZ Design and Config

Unanswered Question
Apr 27th, 2007

Hi all,

I am looking for information regarding design and configuration of firewall on a Cisco 2801 router.


Cisco 2801 with 2 eth. ports and 5 VLANS configured. The 2 ports connected to Cisco 2950 switches.

Native vlan - 1 (some PCs and servers on this VLAN)

2 Trusted VLANS - vlan 3 and vlan 4

DMZ - vlan 10

Untrusted (ADSL) - vlan 100

I would like to know how to set up the 2801 router such that users on vlan 3 and 4 can connected to the internet. ADSL router( on VLAN 100.

Currently I have set up a default route on the router such that all traffic is forwarded to vlan 100.

ip route

Any ideas how can I get this configured?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
melvey Sat, 04/28/2007 - 07:12

I have a similar setup using a 1721.

You want to set up subinterfaces on each ethernet port of the 2801, for each VLAN.

e.g. something like:

interface FastEthernet0.1

description VLAN 1

encapsulation dot1Q 1 native

ip address

ip access-group 111 in

etc, for each one, so each subinterface has a different IP.

Then you'll need to configure 802.1q trunking on the 2950 ports connected to the 2801, and assign the other ports appropriately.

You probably want the Cisco to do DHCP,

ip dhcp pool 0





ip dhcp pool 1

network 192.168.x.0

default-router 192.168.x.y


The default route is correct; setting up the subinterfaces will make the routing table correct for the directly connected networks on each VLAN.

Then the ACLs: they will look somthing like:

access-list 151 remark Allow certain inter-VLAN traffice

access-list 151 permit ip host any log

access-list 151 deny ip any

access-list 151 deny ip any

access-list 151 deny ip any

access-list 151 deny ip any

access-list 151 deny ip any

access-list 151 deny ip any

access-list 151 remark no bcasts.

access-list 151 deny ip host any

access-list 151 deny ip any

access-list 151 permit ip any any

access-list 151 permit icmp any any

Hope that gets you on the right track. I can't go into a whole lot more detail than that.

I assume ports assigned to each vlan are (or will be) on one or the other switch. (Maybe you want the 2950s connected to each other and just one connected to the 2801?

rsabapathee Sun, 04/29/2007 - 08:05

thanks for response buddy.

Perhaps my question was too open. Let me clarify.

The vlans are configured correctly with cisco 2950 to 2801 as trunk. ports on the switch are set to correct access vlan. inter-vlan routing have been configured and is working perfectly. Do not need DHCP at this stage.

The final step of this project is to set the adsl router to a different vlan and eventually set up the firewall on the 2801.

Now reading through the previous post, i realise I might need to set up the link between 2801 to adsl router as trunk or does the 2801 remove the tagging before sending the data to the adsl router?

(However adsl router is a non-cisco and does not support 802.1q).

Ho do I proceed?



This Discussion