Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > core router firewall issue

Reply
Thread Tools

core router firewall issue

 
 
psykotic
Guest
Posts: n/a
 
      08-09-2005
We just upgraded our edge router and added a juniper netscreen firewall
to our network and I am trying to use the old 1721 for a core vlan
router. Do you think it is possible to use the one ethernet port to do
internal vlan routing, and push outbound internet traffic to another
switchport (on vlan 1, the native vlan)where the trust interface of the
firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get
things working on the native vlan (vlan 1).........but no go
workstations bound to other interfaces (10,20,30, etc.) Please let me
know if it is possible via some tweaks to the config below, or if i
just need to go purchase an ethernet wic to make this work. Thxs.
The access list is something I am starting to build to stave off some
of the p2p.......i know it is not a complete solution.

Here is the config


clock timezone pst -8
clock summer-time pdt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip name-server 206.13.28.12
ip name-server 206.13.31.12
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.250 192.168.1.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.30.1 192.168.30.10
ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp excluded-address 192.168.200.1 192.168.200.10
!
ip dhcp pool 0
network 192.168.1.0 255.255.255.0
domain-name group1.local
dns-server 206.13.28.12 206.13.31.12
default-router 192.168.1.250
!
ip dhcp pool 10
network 192.168.10.0 255.255.255.0
dns-server 206.13.28.12 206.13.31.12
domain-name group10.local
default-router 192.168.10.250
!
ip dhcp pool 20
network 192.168.20.0 255.255.255.0
dns-server 206.13.28.12 206.13.31.12
domain-name group20.local
default-router 192.168.20.250
!
ip dhcp pool 30
network 192.168.30.0 255.255.255.0
dns-server 206.13.28.12 206.13.31.12
domain-name group30.local
default-router 192.168.30.250
!
ip dhcp pool 100
network 192.168.100.0 255.255.255.0
dns-server 192.168.100.1
domain-name office.local
default-router 192.168.100.250
!
ip dhcp pool 200
network 192.168.200.0 255.255.255.0
dns-server 206.13.28.12 206.13.31.12
default-router 192.168.200.250
domain-name group200.local
!
ip cef
!
!
!
!
interface FastEthernet0
description TO LOCAL LAN
ip address 192.168.1.250 255.255.255.0
ip access-group 110 in
ip nat inside
speed 100
full-duplex
!
interface FastEthernet0.10
encapsulation dot1Q 10
ip address 192.168.10.250 255.255.255.0
ip access-group 110 in
ip nat inside
no snmp trap link-status
!
interface FastEthernet0.20
encapsulation dot1Q 20
ip address 192.168.20.250 255.255.255.0
ip access-group 110 in
ip nat inside
no snmp trap link-status
!
interface FastEthernet0.30
encapsulation dot1Q 30
ip address 192.168.30.250 255.255.255.0
ip access-group 110 in
ip nat inside
no snmp trap link-status
!
interface FastEthernet0.100
encapsulation dot1Q 100
ip address 192.168.100.250 255.255.255.0
ip access-group 110 in
ip nat inside
no snmp trap link-status
!
interface FastEthernet0.200
encapsulation dot1Q 200
ip address 192.168.200.250 255.255.255.0
ip access-group 110 in
ip nat inside
no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
logging 192.168.100.1
access-list 110 deny tcp any any eq 1214 log-input
access-list 110 deny tcp any any eq 1337 log-input
access-list 110 deny tcp any any eq 2234 log-input
access-list 110 deny tcp any any eq 5534 log-input
access-list 110 deny tcp any any range 4000 4100 log-input
access-list 110 deny tcp any any eq 4500 log-input
access-list 110 deny tcp any any range 9000 9100 log-input
access-list 110 deny tcp any any range 5500 5503 log-input
access-list 110 deny tcp any any eq 7778 log-input
access-list 110 deny tcp any any eq 6667 log-input
access-list 110 deny tcp any any eq 2323 log-input
access-list 110 deny tcp any any eq 4242 log-input
access-list 110 deny tcp any any range 6346 6352 log-input
access-list 110 deny tcp any any range 6881 6889 log-input
access-list 110 deny tcp any any eq 6969 log-input
access-list 110 deny tcp any any eq 8875 log-input
access-list 110 deny tcp any any eq 4444 log-input
access-list 110 deny tcp any any eq 5555 log-input
access-list 110 deny tcp any any eq 6666 log-input
access-list 110 deny tcp any any eq 7777 log-input
access-list 110 deny tcp any any eq 8888 log-input
access-list 110 deny tcp any any eq 6699 log-input
access-list 110 deny tcp any any eq 6257 log-input
access-list 110 deny tcp any any eq 4329 log-input
access-list 110 deny tcp any any range 4000 4999 log-input
access-list 110 deny tcp any any eq 3128 log-input
access-list 110 deny tcp any any eq 8088 log-input
access-list 110 deny tcp any any eq 11523 log-input
access-list 110 deny tcp any any range 81 83 log-input
access-list 110 permit ip any any

 
Reply With Quote
 
 
 
 
shen
Guest
Posts: n/a
 
      08-09-2005
psykotic wrote:
> We just upgraded our edge router and added a juniper netscreen firewall
> to our network and I am trying to use the old 1721 for a core vlan
> router. Do you think it is possible to use the one ethernet port to do
> internal vlan routing, and push outbound internet traffic to another
> switchport (on vlan 1, the native vlan)where the trust interface of the
> firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get
> things working on the native vlan (vlan 1).........but no go
> workstations bound to other interfaces (10,20,30, etc.) Please let me
> know if it is possible via some tweaks to the config below, or if i
> just need to go purchase an ethernet wic to make this work. Thxs.
> The access list is something I am starting to build to stave off some
> of the p2p.......i know it is not a complete solution.

If your firewall supports dot1q,you can do it,but
You the better purchase an ethernet wic to make this work,it will make
your network more security.
 
Reply With Quote
 
 
 
 
shen
Guest
Posts: n/a
 
      08-09-2005
psykotic wrote:
> We just upgraded our edge router and added a juniper netscreen firewall
> to our network and I am trying to use the old 1721 for a core vlan
> router. Do you think it is possible to use the one ethernet port to do
> internal vlan routing, and push outbound internet traffic to another
> switchport (on vlan 1, the native vlan)where the trust interface of the
> firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get
> things working on the native vlan (vlan 1).........but no go
> workstations bound to other interfaces (10,20,30, etc.) Please let me
> know if it is possible via some tweaks to the config below, or if i
> just need to go purchase an ethernet wic to make this work. Thxs.
> The access list is something I am starting to build to stave off some
> of the p2p.......i know it is not a complete solution.
>

Yes,u can do it,but i advise u to purchase an ethernet wic to make this
work,it will make your network more security

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Software Firewall Necessary And/Or Recommended If Modem/Router Consists of Firewall? Internet Highway Traveler Computer Support 5 11-14-2009 04:52 AM
Core Solo & Core Duo are not Core microarchitecture; 65nm Pentium M chips bigal Hardware 0 03-22-2006 11:24 AM
Chaining WiFi Router To Single PC's Firewall Router? (PeteCresswell) Wireless Networking 4 11-25-2005 06:01 PM
Fedora Core 3 & Core 4 Password questions Brandon Computer Security 4 08-15-2005 04:30 AM
Can a router firewall replace a software firewall? Sentinel Computer Support 7 05-14-2005 03:29 PM



Advertisments