If I place a Cisco 871 in bridging mode and put a dedicated firewall behind it, am I still able to assign extended ACL's to the bridged interface? Or is it only able to handle standard ACL's?
Thanks.
Vincent
I have no idea if any IP ACLs work in bridge mode but I would think that if standard ones work then extended ones will too.
You can always NAT on the router and NAT on the firewall too.
router outside - Public IP NAT here router inside 10.0.0.1 firewall outside 10.0.0.2 NAT here too firewall inside - Private IP
Obviously if you do complex NAT then it will be more work and more irritating but I have done this with IPSEC on the firewall and all was OK. DSL router (not cisco) and PIX.
Well, maybe I am going about this the wrong way...I want to create the following setup:
T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT) | DMZ
My thoughts were that I could place the Cisco 871 in bridged mode, but still have it perform IP filtering to prevent a bunch of junk from hitting the firewall. But, since it is bridged, the IP address will be assigned directly to the firewall. One of the public IP addresses will be used to serve the internal LAN and the other public IP addresses will be assigned to machines within the DMZ. Is it possible to assign ACL's to a bridged interface? If not, that defeats the primary purpose of the Cisco 871 as a filtering device. Is there a better way to do what I am trying to accomplish? I have been assigned a x.x.x.x/28 subnet from my ISP. Thanks!
Vincent
Well, maybe I am going about this the wrong way...I want to create the following setup:
T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT) | DMZ
My thoughts were that I could place the Cisco 871 in bridged mode, but still have it perform IP filtering to prevent a bunch of junk from hitting the firewall. But, since it is bridged, the IP address will be assigned directly to the firewall. One of the public IP addresses will be used to serve the internal LAN and the other public IP addresses will be assigned to machines within the DMZ. Is it possible to assign ACL's to a bridged interface? If not, that defeats the primary purpose of the Cisco 871 as a filtering device. Is there a better way to do what I am trying to accomplish? I have been assigned a x.x.x.x/28 subnet from my ISP. Thanks!
Vincent
Well, maybe I am going about this the wrong way...I want to create the following setup:
T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT), DMZ
My thoughts were that I could place the Cisco 871 in bridged mode, but still have it perform IP filtering to prevent a bunch of junk from hitting the firewall. But, since it is bridged, the IP address will be assigned directly to the firewall. One of the public IP addresses will be used to serve the internal LAN and the other public IP addresses will be assigned to machines within the DMZ. Is it possible to assign ACL's to a bridged interface? If not, that defeats the primary purpose of the Cisco 871 as a filtering device. Is there a better way to do what I am trying to accomplish? I have been assigned a x.x.x.x/28 subnet from my ISP. Thanks!
Vincent
A bridge can't filter based on IP traffic, but can filter on other criteria (ie. MAC address) that probably isn't too interesting to you, although can be for other users. (BTW: I'd rather have a firewall box dedicated to being a filter do it all rather than a router that can do some of it?). Its not like two filters are better than one. If you don't trust the firewall to protect you as well as the cisco, then why use it at all?
I wouldn't bother with the 871 at all in your setup as given.
If you do want to keep the 871 in there, and be able to filter on IP level traffic and not do double NAT which was proposed to you at first, you could take your /28 and split it into two. And then take one of the /29's and split it into two /30's. Use one /30 to go from the T1 to the 871. Use the 2nd /30 to go from the 871 to the firewall. The firewall can do with what it wants on the other /29. Insert static route statements to push the /29 down to the firewall to do with it as it wants.
Here you are doing full routing all the way through, only the firewall is NAT'ing, and you can do IP filtering on the 871.
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0DMZ
Okay, I will try and digest all of this. It makes sense. Thank you for your help!
Vincent
Greetings,
The catch is that Bridging is a TCP/IP Layer 2 function, and you want to use ACL's that work on IP addresses, which are a Layer 3 function, so this is not going to work. About all you can use for ACL's on a Bridged interface are the 7xx series which handle Layer 2 MAC addresses only, and thats about it.
With this configuration any Layer 3 work you need to do will have to be done on the Firewall.
Sorry.....................pk.
Why use it as a bridge? Do you get only a single IP address on your T1? When you get a block of addresses, you can use the 871 as a router. Of course it will decrease the number of available addresses from your block.
I think that the C871 is already a powerful firewall solution for soho.
With the right IOS you can do all the firewalling on the C871, and DMZ too.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.