Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
4
Replies

need to seperate public/private lans/wans on same 2811 ISR

Go to solution
blawrimore1
Level 1
Level 1

‎12-27-2005 01:13 PM - edited ‎03-03-2019 01:15 AM

I have a 2811 with two f/e's, and 2 wan circuits: 1 for public internet (s0), and one for private wan connections (s1). f0/0 has a public ip that connects directly into a firewall. the firewall has a dmz for a web server. i plan to have the private, protected side lan connected on f0/1. i need all traffic (f0/1 and s1) bound for the the internet (s0) to go through the firewall and then to f0/0 and s0, not be routed directly to s0.

pretty much, i have the ip route 0.0.0.0 0.0.0.0 pointed to s0, but when i connect the private side to f0/1, this is going to route all internet traffic to s0 without going through firewall (needed--it is running websense). is there a way i can say all private traffic bound with unknown destination, default gateway is the firewall?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stomasko
Level 4
Level 4
In response to blawrimore1

‎12-28-2005 05:43 AM

Sounds like you really have a tough situation. Any chance you could put a firewall at the other end of the Private serial link? While malicious traffic could still hit the router you could put a firewall to protect the thernet side of each LAN and have some protection. Just a thought.

Steve

View solution in original post

0 Helpful
4 Replies 4

Go to solution
stomasko
Level 4
Level 4

‎12-27-2005 01:21 PM

You really should consider changing this design. As it stands the firewall doesnt' appear to be of any use. Suggestion would be to add a router and design it so that Internet terminated in one router and from there into firewall. firewall would then connect to another router where protected LAN and WAN would reside.

Steve

0 Helpful

Go to solution
blawrimore1
Level 1
Level 1
In response to stomasko

‎12-28-2005 05:26 AM

i agree, but it isnt an option for me right now. those two wan connections, s0 and s1, are really 3 meg atm ima connections, and this is the only router i have with an aim module.

the only thing ive been able to think of is maybe using vlans on the fE ports and not route between the two of them, but i dont know how to keep the box from routing them, without using a no ip routing command, which is bad in this case.

maybe setting up subinterfaces on f0/1. one with the outside firewall and the others with private networks. but this still isnt safe.

ugh.

0 Helpful

Go to solution
stomasko
Level 4
Level 4
In response to blawrimore1

‎12-28-2005 05:43 AM

Sounds like you really have a tough situation. Any chance you could put a firewall at the other end of the Private serial link? While malicious traffic could still hit the router you could put a firewall to protect the thernet side of each LAN and have some protection. Just a thought.

Steve

0 Helpful

Go to solution
blawrimore1
Level 1
Level 1
In response to stomasko

‎12-28-2005 10:34 AM

Thanks for the recommendation, but i found out i could use route-maps on the public interfaces (s0 and f0/0) and change the default route to the inside firewall interface for all other interfaces and networks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents