Firewall Config on 1700 IOS|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by CrimsonTide on September 9, 2005, 10:39 am
Please log in for more thread options
I just added a WIC to our 1700 to provide a 2nd subnet to our office. I would like to keep subnet 1 and subnet 2 from seeing each other. Do I need to put another access list on the e0 interface that says, basically, permit to the internet, but deny to 192.168.1.0? Thanks Router1721# Router1721#sh run Building configuration... Current configuration : 1610 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router1721 ! logging queue-limit 100 enable secret 5 WNZ. enable password 7 0019 ! ip subnet-zero ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key AbCdE123 address 62.5.175.10 ! ! crypto ipsec transform-set To_VPN esp-3des esp-md5-hmac ! crypto map To_VPN 10 ipsec-isakmp set peer 62.5.175.10 set transform-set To_VPN match address 110 ! ! ! ! interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside half-duplex ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside speed auto full-duplex ! interface Serial0 bandwidth 832000 ip address 62.19.207.105 255.255.255.248 ip nat outside no fair-queue crypto map To_VPN ! ip nat inside source route-map nonat interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0 no ip http server no ip http secure-server ! ! ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 120 permit ip 192.168.1.0 0.0.0.255 any access-list 120 permit ip 10.1.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 120 ! ! line con 0 line aux 0 line vty 0 3 password 7 1D login line vty 4 password 7 035 login ! end | ||||||||||
|
Posted by RobO on September 10, 2005, 7:34 am
Please log in for more thread options Hi, I think the simplest solution would be like you say to add an access-list to e0. I am not sure if there are any other ways of doing it. Something like this: access-list xxx deny ip 10.1.1.0 0.0.0.255 192.168.1.1 0.0.0.255 access-list xxx permit ip 10.1.1.0 0.0.0.255 any Apply the access-list inbound on e0. You could also add an access-list to fa0 to deny traffic to the 10. subnet to make it more concrete. Rob | ||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>
> I just added a WIC to our 1700 to provide a 2nd subnet to our office.
>
> I would like to keep subnet 1 and subnet 2 from seeing each other.
>
> Do I need to put another access list on the e0 interface that says,
> basically, permit to the internet, but deny to 192.168.1.0?
>
> Thanks