core router firewall issue

Discussion in 'Cisco' started by psykotic, Aug 9, 2005.

  1. psykotic

    psykotic Guest

    We just upgraded our edge router and added a juniper netscreen firewall
    to our network and I am trying to use the old 1721 for a core vlan
    router. Do you think it is possible to use the one ethernet port to do
    internal vlan routing, and push outbound internet traffic to another
    switchport (on vlan 1, the native vlan)where the trust interface of the
    firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get
    things working on the native vlan (vlan 1).........but no go
    workstations bound to other interfaces (10,20,30, etc.) Please let me
    know if it is possible via some tweaks to the config below, or if i
    just need to go purchase an ethernet wic to make this work. Thxs.
    The access list is something I am starting to build to stave off some
    of the p2p.......i know it is not a complete solution.

    Here is the config


    clock timezone pst -8
    clock summer-time pdt recurring
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    !
    !
    ip name-server 206.13.28.12
    ip name-server 206.13.31.12
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    ip dhcp excluded-address 192.168.1.250 192.168.1.254
    ip dhcp excluded-address 192.168.10.1 192.168.10.10
    ip dhcp excluded-address 192.168.20.1 192.168.20.10
    ip dhcp excluded-address 192.168.30.1 192.168.30.10
    ip dhcp excluded-address 192.168.100.1 192.168.100.10
    ip dhcp excluded-address 192.168.200.1 192.168.200.10
    !
    ip dhcp pool 0
    network 192.168.1.0 255.255.255.0
    domain-name group1.local
    dns-server 206.13.28.12 206.13.31.12
    default-router 192.168.1.250
    !
    ip dhcp pool 10
    network 192.168.10.0 255.255.255.0
    dns-server 206.13.28.12 206.13.31.12
    domain-name group10.local
    default-router 192.168.10.250
    !
    ip dhcp pool 20
    network 192.168.20.0 255.255.255.0
    dns-server 206.13.28.12 206.13.31.12
    domain-name group20.local
    default-router 192.168.20.250
    !
    ip dhcp pool 30
    network 192.168.30.0 255.255.255.0
    dns-server 206.13.28.12 206.13.31.12
    domain-name group30.local
    default-router 192.168.30.250
    !
    ip dhcp pool 100
    network 192.168.100.0 255.255.255.0
    dns-server 192.168.100.1
    domain-name office.local
    default-router 192.168.100.250
    !
    ip dhcp pool 200
    network 192.168.200.0 255.255.255.0
    dns-server 206.13.28.12 206.13.31.12
    default-router 192.168.200.250
    domain-name group200.local
    !
    ip cef
    !
    !
    !
    !
    interface FastEthernet0
    description TO LOCAL LAN
    ip address 192.168.1.250 255.255.255.0
    ip access-group 110 in
    ip nat inside
    speed 100
    full-duplex
    !
    interface FastEthernet0.10
    encapsulation dot1Q 10
    ip address 192.168.10.250 255.255.255.0
    ip access-group 110 in
    ip nat inside
    no snmp trap link-status
    !
    interface FastEthernet0.20
    encapsulation dot1Q 20
    ip address 192.168.20.250 255.255.255.0
    ip access-group 110 in
    ip nat inside
    no snmp trap link-status
    !
    interface FastEthernet0.30
    encapsulation dot1Q 30
    ip address 192.168.30.250 255.255.255.0
    ip access-group 110 in
    ip nat inside
    no snmp trap link-status
    !
    interface FastEthernet0.100
    encapsulation dot1Q 100
    ip address 192.168.100.250 255.255.255.0
    ip access-group 110 in
    ip nat inside
    no snmp trap link-status
    !
    interface FastEthernet0.200
    encapsulation dot1Q 200
    ip address 192.168.200.250 255.255.255.0
    ip access-group 110 in
    ip nat inside
    no snmp trap link-status
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    no ip http server
    !
    !
    logging 192.168.100.1
    access-list 110 deny tcp any any eq 1214 log-input
    access-list 110 deny tcp any any eq 1337 log-input
    access-list 110 deny tcp any any eq 2234 log-input
    access-list 110 deny tcp any any eq 5534 log-input
    access-list 110 deny tcp any any range 4000 4100 log-input
    access-list 110 deny tcp any any eq 4500 log-input
    access-list 110 deny tcp any any range 9000 9100 log-input
    access-list 110 deny tcp any any range 5500 5503 log-input
    access-list 110 deny tcp any any eq 7778 log-input
    access-list 110 deny tcp any any eq 6667 log-input
    access-list 110 deny tcp any any eq 2323 log-input
    access-list 110 deny tcp any any eq 4242 log-input
    access-list 110 deny tcp any any range 6346 6352 log-input
    access-list 110 deny tcp any any range 6881 6889 log-input
    access-list 110 deny tcp any any eq 6969 log-input
    access-list 110 deny tcp any any eq 8875 log-input
    access-list 110 deny tcp any any eq 4444 log-input
    access-list 110 deny tcp any any eq 5555 log-input
    access-list 110 deny tcp any any eq 6666 log-input
    access-list 110 deny tcp any any eq 7777 log-input
    access-list 110 deny tcp any any eq 8888 log-input
    access-list 110 deny tcp any any eq 6699 log-input
    access-list 110 deny tcp any any eq 6257 log-input
    access-list 110 deny tcp any any eq 4329 log-input
    access-list 110 deny tcp any any range 4000 4999 log-input
    access-list 110 deny tcp any any eq 3128 log-input
    access-list 110 deny tcp any any eq 8088 log-input
    access-list 110 deny tcp any any eq 11523 log-input
    access-list 110 deny tcp any any range 81 83 log-input
    access-list 110 permit ip any any
     
    psykotic, Aug 9, 2005
    #1
    1. Advertising

  2. psykotic

    shen Guest

    psykotic wrote:
    > We just upgraded our edge router and added a juniper netscreen firewall
    > to our network and I am trying to use the old 1721 for a core vlan
    > router. Do you think it is possible to use the one ethernet port to do
    > internal vlan routing, and push outbound internet traffic to another
    > switchport (on vlan 1, the native vlan)where the trust interface of the
    > firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get
    > things working on the native vlan (vlan 1).........but no go
    > workstations bound to other interfaces (10,20,30, etc.) Please let me
    > know if it is possible via some tweaks to the config below, or if i
    > just need to go purchase an ethernet wic to make this work. Thxs.
    > The access list is something I am starting to build to stave off some
    > of the p2p.......i know it is not a complete solution.

    If your firewall supports dot1q,you can do it,but
    You the better purchase an ethernet wic to make this work,it will make
    your network more security.
     
    shen, Aug 9, 2005
    #2
    1. Advertising

  3. psykotic

    shen Guest

    psykotic wrote:
    > We just upgraded our edge router and added a juniper netscreen firewall
    > to our network and I am trying to use the old 1721 for a core vlan
    > router. Do you think it is possible to use the one ethernet port to do
    > internal vlan routing, and push outbound internet traffic to another
    > switchport (on vlan 1, the native vlan)where the trust interface of the
    > firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get
    > things working on the native vlan (vlan 1).........but no go
    > workstations bound to other interfaces (10,20,30, etc.) Please let me
    > know if it is possible via some tweaks to the config below, or if i
    > just need to go purchase an ethernet wic to make this work. Thxs.
    > The access list is something I am starting to build to stave off some
    > of the p2p.......i know it is not a complete solution.
    >

    Yes,u can do it,but i advise u to purchase an ethernet wic to make this
    work,it will make your network more security
     
    shen, Aug 9, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bigal
    Replies:
    0
    Views:
    1,158
    bigal
    Mar 22, 2006
  2. Brandon

    Fedora Core 3 & Core 4 Password questions

    Brandon, Aug 9, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    1,667
    David
    Aug 15, 2005
  3. Edge
    Replies:
    3
    Views:
    577
  4. =?Utf-8?B?TmllbHMgQ2hyLg==?=

    posible: dual core + single core

    =?Utf-8?B?TmllbHMgQ2hyLg==?=, Nov 22, 2005, in forum: Windows 64bit
    Replies:
    7
    Views:
    511
    =?Utf-8?B?TmllbHMgQ2hyLg==?=
    Nov 22, 2005
  5. =?Utf-8?B?Q2FybG9z?=

    From single core to dual core

    =?Utf-8?B?Q2FybG9z?=, Aug 5, 2006, in forum: Windows 64bit
    Replies:
    26
    Views:
    908
    Colin Barnhorst
    Aug 6, 2006
Loading...

Share This Page