Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

design Help forwarding traffic through a router into a firewall

Looking for some advise.

We are using a new product form Time Warner Telecom. It provides WAN access and Internet traffic off of the same inbound dta circuit through the use of a VLAN for the Internet traffic.

I have the WAN setup and INternet working.

The traffic comes into to a router that has Vlans and a switch with trunking.

I can get them Internet access usng a IP nat source statement and I am using IP nat static for items like inbound email and Outlook access to the server. We would like to put back in the firewall but it doesn't support Vlans.

I thought about a IP nat forward from and IP to the firewall specifically to get the VPN working but having some issue getting more then 1 port to work through the nat statement.

Any ideas?

Also if I don't have all internet traffic come into the firewall and out the firewall will I have a routing loop?

Any help is appreciated

here is the current config. Not all of it but the routing portion.

controller T1 0/0/0

framing esf

linecode b8zs

pri-group timeslots 1-11,24

gw-accounting syslog

!

!

!

!

interface FastEthernet0/0

ip address 10.1.1.20 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex full

speed 10

no mop enabled

!

interface FastEthernet0/0.667

encapsulation dot1Q 667

ip address X.X.50.214 255.255.255.252 secondary

ip address X.X.184.50 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.10

--More-- description Data Vlan

encapsulation dot1Q 10

ip address 172.20.10.254 255.255.255.0

ip helper-address 192.168.1.10

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1.11

description Voice Vlan

encapsulation dot1Q 11

ip address 172.20.11.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no cdp enable

!

interface FastEthernet0/1.192

encapsulation dot1Q 192

ip address 192.168.1.254 255.255.255.0

--More-- ip helper-address 192.168.1.10

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1.254

encapsulation dot1Q 254

ip address 172.20.254.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no cdp enable

!

interface Serial0/0/0:23

no ip address

encapsulation hdlc

isdn switch-type primary-ni

isdn incoming-voice voice

no cdp enable

!

--More-- interface Service-Engine1/0

ip address 172.20.12.254 255.255.255.0

service-module ip address 172.20.12.250 255.255.255.0

service-module ip default-gateway 172.20.12.254

!

router eigrp 101

network 172.21.0.0

network 172.22.0.0

auto-summary

!

ip route 0.0.0.0 0.0.0.0 x.x.50.213

ip route 172.20.12.250 255.255.255.255 Service-Engine1/0

ip route 172.21.0.0 255.255.0.0 10.1.1.21

ip route 172.22.0.0 255.255.0.0 10.1.1.22

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool Internet x.x.184.51 x.x.184.51 netmask 255.255.255.240

ip nat inside source list 1 pool Internet overload

ip nat inside source static tcp 192.168.1.10 25 66.162.50.214 25 extendable

--More-- ip nat inside source static tcp 192.168.1.10 80 207.250.184.55 80 extendable

ip nat inside source static tcp 192.168.1.10 443 x.x.184.56 443 extendable

ip nat inside source static tcp 192.168.1.10 4899 x.x.184.60 4899 extendable

!

!

!

1 REPLY
Bronze

Re: design Help forwarding traffic through a router into a firew

Specific inspection statements are configured based on the acceptable traffic that the router will allow out through the firewall, and on the expected return traffic: For more information please click following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670

95
Views
0
Helpful
1
Replies
CreatePlease login to create content