Cisco 871 -- Bridge Mode

Discussion in 'Cisco' started by Vincent, Feb 26, 2010.

  1. Vincent

    Vincent Guest

    If I place a Cisco 871 in bridging mode and put a dedicated firewall
    behind it, am I still able to assign extended ACL's to the bridged
    interface? Or is it only able to handle standard ACL's?

    Thanks.

    Vincent
     
    Vincent, Feb 26, 2010
    #1
    1. Advertising

  2. Vincent

    bod43 Guest

    On 26 Feb, 03:57, Vincent <> wrote:
    > If I place a Cisco 871 in bridging mode and put a dedicated firewall
    > behind it, am I still able to assign extended ACL's to the bridged
    > interface?  Or is it only able to handle standard ACL's?


    I have no idea if any IP ACLs work in bridge mode
    but I would think that if standard ones work then
    extended ones will too.

    You can always NAT on the router and NAT on the firewall too.

    router outside - Public IP
    NAT here
    router inside 10.0.0.1
    firewall outside 10.0.0.2
    NAT here too
    firewall inside - Private IP

    Obviously if you do complex NAT then it will be
    more work and more irritating but I have done this with
    IPSEC on the firewall and all was OK.
    DSL router (not cisco) and PIX.
     
    bod43, Feb 26, 2010
    #2
    1. Advertising

  3. Vincent

    Vincent Guest

    On Feb 26, 4:24 am, bod43 <> wrote:
    > On 26 Feb, 03:57, Vincent <> wrote:
    >
    > > If I place a Cisco 871 in bridging mode and put a dedicated firewall
    > > behind it, am I still able to assign extended ACL's to the bridged
    > > interface?  Or is it only able to handle standard ACL's?

    >
    > I have no idea if any IP ACLs work in bridge mode
    > but I would think that if standard ones work then
    > extended ones will too.
    >
    > You can always NAT on the router and NAT on the firewall too.
    >
    > router outside - Public IP
    >      NAT here
    > router inside 10.0.0.1
    > firewall outside 10.0.0.2
    >      NAT here too
    > firewall inside - Private IP
    >
    > Obviously if you do complex NAT then it will be
    > more work and more irritating but I have done this with
    > IPSEC on the firewall and all was OK.
    > DSL router (not cisco) and PIX.


    Well, maybe I am going about this the wrong way...I want to create the
    following setup:

    T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT)
    |
    DMZ

    My thoughts were that I could place the Cisco 871 in bridged mode, but
    still have it perform IP filtering to prevent a bunch of junk from
    hitting the firewall. But, since it is bridged, the IP address will
    be assigned directly to the firewall. One of the public IP addresses
    will be used to serve the internal LAN and the other public IP
    addresses will be assigned to machines within the DMZ. Is it possible
    to assign ACL's to a bridged interface? If not, that defeats the
    primary purpose of the Cisco 871 as a filtering device. Is there a
    better way to do what I am trying to accomplish? I have been assigned
    a x.x.x.x/28 subnet from my ISP. Thanks!

    Vincent
     
    Vincent, Feb 26, 2010
    #3
  4. Vincent

    Vincent Guest

    On Feb 26, 4:24 am, bod43 <> wrote:
    > On 26 Feb, 03:57, Vincent <> wrote:
    >
    > > If I place a Cisco 871 in bridging mode and put a dedicated firewall
    > > behind it, am I still able to assign extended ACL's to the bridged
    > > interface?  Or is it only able to handle standard ACL's?

    >
    > I have no idea if any IP ACLs work in bridge mode
    > but I would think that if standard ones work then
    > extended ones will too.
    >
    > You can always NAT on the router and NAT on the firewall too.
    >
    > router outside - Public IP
    >      NAT here
    > router inside 10.0.0.1
    > firewall outside 10.0.0.2
    >      NAT here too
    > firewall inside - Private IP
    >
    > Obviously if you do complex NAT then it will be
    > more work and more irritating but I have done this with
    > IPSEC on the firewall and all was OK.
    > DSL router (not cisco) and PIX.


    Well, maybe I am going about this the wrong way...I want to create
    the
    following setup:

    T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT)
    |
    DMZ


    My thoughts were that I could place the Cisco 871 in bridged mode,
    but
    still have it perform IP filtering to prevent a bunch of junk from
    hitting the firewall. But, since it is bridged, the IP address will
    be assigned directly to the firewall. One of the public IP addresses
    will be used to serve the internal LAN and the other public IP
    addresses will be assigned to machines within the DMZ. Is it
    possible
    to assign ACL's to a bridged interface? If not, that defeats the
    primary purpose of the Cisco 871 as a filtering device. Is there a
    better way to do what I am trying to accomplish? I have been
    assigned
    a x.x.x.x/28 subnet from my ISP. Thanks!


    Vincent
     
    Vincent, Feb 26, 2010
    #4
  5. Vincent

    Vincent Guest

    On Feb 26, 4:24 am, bod43 <> wrote:
    > On 26 Feb, 03:57, Vincent <> wrote:
    >
    > > If I place a Cisco 871 in bridging mode and put a dedicated firewall
    > > behind it, am I still able to assign extended ACL's to the bridged
    > > interface?  Or is it only able to handle standard ACL's?

    >
    > I have no idea if any IP ACLs work in bridge mode
    > but I would think that if standard ones work then
    > extended ones will too.
    >
    > You can always NAT on the router and NAT on the firewall too.
    >
    > router outside - Public IP
    >      NAT here
    > router inside 10.0.0.1
    > firewall outside 10.0.0.2
    >      NAT here too
    > firewall inside - Private IP
    >
    > Obviously if you do complex NAT then it will be
    > more work and more irritating but I have done this with
    > IPSEC on the firewall and all was OK.
    > DSL router (not cisco) and PIX.


    Well, maybe I am going about this the wrong way...I want to create
    the
    following setup:

    T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT), DMZ

    My thoughts were that I could place the Cisco 871 in bridged mode,
    but
    still have it perform IP filtering to prevent a bunch of junk from
    hitting the firewall. But, since it is bridged, the IP address will
    be assigned directly to the firewall. One of the public IP addresses
    will be used to serve the internal LAN and the other public IP
    addresses will be assigned to machines within the DMZ. Is it
    possible
    to assign ACL's to a bridged interface? If not, that defeats the
    primary purpose of the Cisco 871 as a filtering device. Is there a
    better way to do what I am trying to accomplish? I have been
    assigned
    a x.x.x.x/28 subnet from my ISP. Thanks!

    Vincent
     
    Vincent, Feb 26, 2010
    #5
  6. Vincent <> writes:
    >Well, maybe I am going about this the wrong way...I want to create the
    >following setup:


    >T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT)
    > |
    > DMZ


    >My thoughts were that I could place the Cisco 871 in bridged mode, but
    >still have it perform IP filtering to prevent a bunch of junk from
    >hitting the firewall. But, since it is bridged, the IP address will
    >be assigned directly to the firewall. One of the public IP addresses
    >will be used to serve the internal LAN and the other public IP
    >addresses will be assigned to machines within the DMZ. Is it possible
    >to assign ACL's to a bridged interface? If not, that defeats the
    >primary purpose of the Cisco 871 as a filtering device. Is there a
    >better way to do what I am trying to accomplish? I have been assigned
    >a x.x.x.x/28 subnet from my ISP. Thanks!



    A bridge can't filter based on IP traffic, but can filter on other
    criteria (ie. MAC address) that probably isn't too interesting to you,
    although can be for other users. (BTW: I'd rather have a firewall box
    dedicated to being a filter do it all rather than a router that can do
    some of it?). Its not like two filters are better than one. If you
    don't trust the firewall to protect you as well as the cisco, then why
    use it at all?

    I wouldn't bother with the 871 at all in your setup as given.

    If you do want to keep the 871 in there, and be able to filter on IP
    level traffic and not do double NAT which was proposed to you at
    first, you could take your /28 and split it into two. And then take
    one of the /29's and split it into two /30's. Use one /30 to go from
    the T1 to the 871. Use the 2nd /30 to go from the 871 to the firewall.
    The firewall can do with what it wants on the other /29. Insert static
    route statements to push the /29 down to the firewall to do with it as
    it wants.

    Here you are doing full routing all the way through, only the firewall
    is NAT'ing, and you can do IP filtering on the 871.
     
    Doug McIntyre, Feb 26, 2010
    #6
  7. Vincent

    Vincent Guest

    On Feb 26, 3:22 pm, Doug McIntyre <> wrote:
    > Vincent <> writes:
    > >Well, maybe I am going about this the wrong way...I want to create the
    > >following setup:
    > >T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT)
    > >                                                            |
    > >                                                          DMZ
    > >My thoughts were that I could place the Cisco 871 in bridged mode, but
    > >still have it perform IP filtering to prevent a bunch of junk from
    > >hitting the firewall.  But, since it is bridged, the IP address will
    > >be assigned directly to the firewall.  One of the public IP addresses
    > >will be used to serve the internal LAN and the other public IP
    > >addresses will be assigned to machines within the DMZ.  Is it possible
    > >to assign ACL's to a bridged interface?  If not, that defeats the
    > >primary purpose of the Cisco 871 as a filtering device.  Is there a
    > >better way to do what I am trying to accomplish?  I have been assigned
    > >a x.x.x.x/28 subnet from my ISP.  Thanks!

    >
    > A bridge can't filter based on IP traffic, but can filter on other
    > criteria (ie. MAC address) that probably isn't too interesting to you,
    > although can be for other users. (BTW: I'd rather have a firewall box
    > dedicated to being a filter do it all rather than a router that can do
    > some of it?).  Its not like two filters are better than one. If you
    > don't trust the firewall to protect you as well as the cisco, then why
    > use it at all?
    >
    > I wouldn't bother with the 871 at all in your setup as given.
    >
    > If you do want to keep the 871 in there, and be able to filter on IP
    > level traffic and not do double NAT which was proposed to you at
    > first, you could take your /28 and split it into two. And then take
    > one of the /29's and split it into two /30's. Use one /30 to go from
    > the T1 to the 871. Use the 2nd /30 to go from the 871 to the firewall.
    > The firewall can do with what it wants on the other /29. Insert static
    > route statements to push the /29 down to the firewall to do with it as
    > it wants.
    >
    > Here you are doing full routing all the way through, only the firewall
    > is NAT'ing, and you can do IP filtering on the 871.- Hide quoted text -
    >
    > - Show quoted text -


    Okay, I will try and digest all of this. It makes sense. Thank you
    for your help!

    Vincent
     
    Vincent, Feb 26, 2010
    #7
  8. Vincent

    Rob Guest

    Vincent <> wrote:
    > On Feb 26, 4:24 am, bod43 <> wrote:
    >> On 26 Feb, 03:57, Vincent <> wrote:
    >>
    >> > If I place a Cisco 871 in bridging mode and put a dedicated firewall
    >> > behind it, am I still able to assign extended ACL's to the bridged
    >> > interface?  Or is it only able to handle standard ACL's?

    >>
    >> I have no idea if any IP ACLs work in bridge mode
    >> but I would think that if standard ones work then
    >> extended ones will too.
    >>
    >> You can always NAT on the router and NAT on the firewall too.
    >>
    >> router outside - Public IP
    >>      NAT here
    >> router inside 10.0.0.1
    >> firewall outside 10.0.0.2
    >>      NAT here too
    >> firewall inside - Private IP
    >>
    >> Obviously if you do complex NAT then it will be
    >> more work and more irritating but I have done this with
    >> IPSEC on the firewall and all was OK.
    >> DSL router (not cisco) and PIX.

    >
    > Well, maybe I am going about this the wrong way...I want to create
    > the
    > following setup:
    >
    > T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT), DMZ


    Why use it as a bridge? Do you get only a single IP address on
    your T1? When you get a block of addresses, you can use the 871
    as a router. Of course it will decrease the number of available addresses
    from your block.
     
    Rob, Feb 27, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris_D
    Replies:
    6
    Views:
    3,068
    Uli Link
    Aug 5, 2005
  2. Kronos

    Cisco 871 SDM Problem

    Kronos, Sep 1, 2005, in forum: Cisco
    Replies:
    2
    Views:
    11,230
    charlie
    Nov 4, 2008
  3. mhaase-at-springmind.com

    Port Forwarding with Cisco 871??

    mhaase-at-springmind.com, Sep 25, 2005, in forum: Cisco
    Replies:
    4
    Views:
    15,397
    redboot
    Nov 14, 2007
  4. English Patient
    Replies:
    3
    Views:
    1,930
    Old Gringo
    Oct 4, 2004
  5. sesmith-at-shc

    Cisco 2501 Bridge mode

    sesmith-at-shc, Mar 19, 2007, in forum: Cisco
    Replies:
    1
    Views:
    983
    Brian V
    Mar 19, 2007
Loading...

Share This Page