Multi-Interface Firewall Config Help

Unanswered Question
Feb 4th, 2009

Hi everyone, this is a problem I have been working at off and on for a long time. Before I waste anyone's time posting my config I'll ask if what I want to do is even possible.

I have a 2811 router running IOS 12.4(22)T. I have Fa0/1 connected to the Internet, and Fa0/0 with VLAN sub-interfaces on it (2 for now). I want one of the VLAN's (say Fa0/0.1) to be our private network. I want the other (say Fa0/0.2) to be a public network used for a WiSP service. Currently we use m0n0wall in a similar config but it's nearing the end of it's practicality and we want to upgrade.

Anyway, my problem is with traffic flow.

-I want all traffic originating from the Private side to be permitted everywhere (to all other interfaces), and returning traffic to be permitted back (Internet access and management access to the WiSP side).

-I want traffic originating on the WiSP side to be permitted to the Internet (return traffic permitted of course), and traffic not permitted to the Private side.

-I want only specified Internet-originating traffic permitted in to certain hosts.

I have tried just using ACL's, I tried with CBAC (got confused) and just tried using Zone Based Firewall. I can get the Private-to-Internet and WiSP-to-Internet stuff working fine. But each time I try to restrict traffic between the Private network and the WiSP network I either get full traffic flow both ways, or no traffic flow either way. I just want WiSP customer to reach the Internet only, and the private network to reach the Internet and manage the WiSP side.

Is this even possible? Any help is appreciated. I am not good with Cisco configs - slowly getting better. I just played around with ZBF in SDM today and hit the same wall - as soon as I create a zone-pair to block originating traffic in the WiSP zone to the private zone I lose connectivity the other way.

Help? Thanks in advance for anyone willing to help. I am at the point in trying this long enough that I want to pay someone else to do the config to my specs. haha :-|

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Thu, 02/05/2009 - 11:45

I would suggest using a Cisco ASA firewall for this basic network configuration. Three physical interfaces (Internet (outside), DMZ(Wireless/WiSP) and inside). Setting up the appropriate ACL's to permit/restrict traffic between these environments would be trivial.

Hope this helps.

Actions

This Discussion