×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

need to seperate public/private lans/wans on same 2811 ISR

Answered Question
Dec 27th, 2005
User Badges:

I have a 2811 with two f/e's, and 2 wan circuits: 1 for public internet (s0), and one for private wan connections (s1). f0/0 has a public ip that connects directly into a firewall. the firewall has a dmz for a web server. i plan to have the private, protected side lan connected on f0/1. i need all traffic (f0/1 and s1) bound for the the internet (s0) to go through the firewall and then to f0/0 and s0, not be routed directly to s0.


pretty much, i have the ip route 0.0.0.0 0.0.0.0 pointed to s0, but when i connect the private side to f0/1, this is going to route all internet traffic to s0 without going through firewall (needed--it is running websense). is there a way i can say all private traffic bound with unknown destination, default gateway is the firewall?

Correct Answer by stomasko about 11 years 7 months ago

Sounds like you really have a tough situation. Any chance you could put a firewall at the other end of the Private serial link? While malicious traffic could still hit the router you could put a firewall to protect the thernet side of each LAN and have some protection. Just a thought.


Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
stomasko Tue, 12/27/2005 - 13:21
User Badges:
  • Silver, 250 points or more

You really should consider changing this design. As it stands the firewall doesnt' appear to be of any use. Suggestion would be to add a router and design it so that Internet terminated in one router and from there into firewall. firewall would then connect to another router where protected LAN and WAN would reside.


Steve

blawrimore1 Wed, 12/28/2005 - 05:26
User Badges:

i agree, but it isnt an option for me right now. those two wan connections, s0 and s1, are really 3 meg atm ima connections, and this is the only router i have with an aim module.


the only thing ive been able to think of is maybe using vlans on the fE ports and not route between the two of them, but i dont know how to keep the box from routing them, without using a no ip routing command, which is bad in this case.


maybe setting up subinterfaces on f0/1. one with the outside firewall and the others with private networks. but this still isnt safe.


ugh.

Correct Answer
stomasko Wed, 12/28/2005 - 05:43
User Badges:
  • Silver, 250 points or more

Sounds like you really have a tough situation. Any chance you could put a firewall at the other end of the Private serial link? While malicious traffic could still hit the router you could put a firewall to protect the thernet side of each LAN and have some protection. Just a thought.


Steve

blawrimore1 Wed, 12/28/2005 - 10:34
User Badges:

Thanks for the recommendation, but i found out i could use route-maps on the public interfaces (s0 and f0/0) and change the default route to the inside firewall interface for all other interfaces and networks.

Actions

This Discussion