cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
404
Views
0
Helpful
2
Replies

DMZ- on Cisco Router 1841

mmtantawi
Level 1
Level 1

Dear All,

i have here in my LAN, one Cisco Router 1841 with its default things ( 2 FE , 1 Console Port , 1 AUX Port , 2 Slots Empty ).

Now, The First Interface on the Router is have Real- IP and it connected directly to The ISP Router, for Internet Connection.

The Second Interface which is F0/1, is connected to My LAN and have the Internal IP Address which is 192.168.1.100 / 255.255.255.0 .

and all the users have the Default gateway which is 192.168.1.100.

now, all the Users access INTERNET through this Router exactly.

Now, we do not have here any Firewall at all between the internet and our LAN, except this Router.

Now, i have a FTP Server I Need to Put it and Setup For the Users who they are outside my organaization to access it from the internet in any where in the World.

so, i need to Implement DMZ on my Router.

so, as the DMZ definetion say, its

[small subnetwork that sits between a trusted Network LAN, & Untrusted Network such as Internet ] .

so, what i did is, i Purchase one modular Router which is HWIC4, and i plug it in the Router.

so, by doing this do you think i am correct on the following :-

1-increase the router ability to serve more than 1 Network .

2- Can i consider each Interface on the HWIC a sepearate DMZ, becasue each Interface will have its Own IP Address .

Please Update me .

2 Replies 2

spremkumar
Level 9
Level 9

Hi Mohammed

You can configure different VLANs too in your lan segment and have them terminated in your router using difference sub interfaces on the ethernet with respective vlan ids.

In that way you can achieve having different segments without any additional hardware..

Also the access restriction to the other lan segment can be controlled using access-list configured and binded on the interface which can block unnecessary address blocks from accessing the FTP services.

regds

gpulos
Level 8
Level 8

from the sounds of it you purchased a '4 port WAN Interface Card' to be put into your router.

(the HWIC4 cannot be used to create a 'DMZ' as you require; you will need additional Ethernet interfaces, not WAN interfaces)

a few things first...

1) yes you have increased the routers ability to serve more than one network. with an HWIC4, you can configure upto 4 more WAN segments that the router can route for.

2) if you had a 4 port Ethernet Card, then you could configure each interface to act like a DMZ, but without proper security in place, it will not be much more than a 'hop' from one network to another.

NOTE: you need to build very detailed, granular access lists to filter traffic if you wish to have any chance of provding the slightest amount of security to your inside users & hosts.

(a firewall will provide you better security control and DMZ definition and is a recommended best practice for the solution you're looking for)

your DMZ definition says it all, "...subnet between a trusted network and an untrusted network..."

firewalls inherently provide a 'trusted' interface, an 'untrusted' interface and one or more 'less than trusted' or DMZ interfaces.

routers do not inherently provide this type of security segregation. you should be using a firewall to provide your solution and security in this case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: