Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2900 router firewall configuration question

Hello,

I am sorry if I am asking a newbie question. I am trying to setup a firewall on our CISCO 2911 router. It has only 3 ports one of which is used for management only purpose. The other two ports are setup as follows:

ISP

|

router 1 -CISCO 2911

-----------------------------------------------------------------------------------------------

Interface e0/0 - (IP Unnumbered using PPPoE  associated with Dialer0)

Interface e0/1 – ( this address is shared by the IP unnumbered interface) - Public IP (222.222.222.22)

-----------------------------------------------------------------------------------------------

|

router 2 with NAT - Public IP (222.222.222.23)

|

LAN

==================================

I tested two ways of firewall zone setup on the Router 1 Cisco 2911 IOS based Firewall:

A.

Outside zone member: 1. interface e0/0 ( Dialer0 )

Inside zone member: e0/1

Then there is no  connection to internet even if all Access rules from inside to outside are all set to Allow. No other ACL is associated with the any of the interfaces.

B.

Outside zone members: 1. interface e0/0 ( Dialer0 ) and 2. interface e0/1 

Inside zone member: e0/3 (management only)

Internet connection is Ok. But this setup is the same as having no firewall, isn't it?

Please advice me how it should be properly setup.

Thank you so much!

2 REPLIES
Cisco Employee

Re: 2900 router firewall configuration question

you should set it up the way you did in step 1

i am not sure how you have set it up but for internet access just match tcp, udp, dns,icmp protocol and inspect them

yuou can paste the config if you want to so that i can take a look at it and comment

Purple

Re: 2900 router firewall configuration question

I think your outside interface should be your dialer interface and not your physical ethernet interface that's why it isn't working because the dialer interface is not a member of any zone and you can't communicate between a zone member and a non zone member.

Don't forget to rate helpful posts.
712
Views
0
Helpful
2
Replies
CreatePlease login to create content