1. Home
  2. Cisco Systems
  3. core router firewall issue

core router firewall issue

We just upgraded our edge router and added a juniper netscreen firewall to our network and I am trying to use the old 1721 for a core vlan router. Do you think it is possible to use the one ethernet port to do internal vlan routing, and push outbound internet traffic to another switchport (on vlan 1, the native vlan)where the trust interface of the firewall lies(192.168.1.1 255.255.255.0)? My problem is that I can get things working on the native vlan (vlan 1).........but no go workstations bound to other interfaces (10,20,30, etc.) Please let me know if it is possible via some tweaks to the config below, or if i just need to go purchase an ethernet wic to make this work. Thxs. The access list is something I am starting to build to stave off some of the p2p.......i know it is not a complete solution.

Here is the config

clock timezone pst -8 clock summer-time pdt recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ! ! ip name-server 206.13.28.12 ip name-server 206.13.31.12 ip dhcp excluded-address 192.168.1.1 192.168.1.10 ip dhcp excluded-address 192.168.1.250 192.168.1.254 ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp excluded-address 192.168.30.1 192.168.30.10 ip dhcp excluded-address 192.168.100.1 192.168.100.10 ip dhcp excluded-address 192.168.200.1 192.168.200.10 ! ip dhcp pool 0 network 192.168.1.0 255.255.255.0 domain-name group1.local dns-server 206.13.28.12 206.13.31.12 default-router 192.168.1.250 ! ip dhcp pool 10 network 192.168.10.0 255.255.255.0 dns-server 206.13.28.12 206.13.31.12 domain-name group10.local default-router 192.168.10.250 ! ip dhcp pool 20 network 192.168.20.0 255.255.255.0 dns-server 206.13.28.12 206.13.31.12 domain-name group20.local default-router 192.168.20.250 ! ip dhcp pool 30 network 192.168.30.0 255.255.255.0 dns-server 206.13.28.12 206.13.31.12 domain-name group30.local default-router 192.168.30.250 ! ip dhcp pool 100 network 192.168.100.0 255.255.255.0 dns-server 192.168.100.1 domain-name office.local default-router 192.168.100.250 ! ip dhcp pool 200 network 192.168.200.0 255.255.255.0 dns-server 206.13.28.12 206.13.31.12 default-router 192.168.200.250 domain-name group200.local ! ip cef ! ! ! ! interface FastEthernet0 description TO LOCAL LAN ip address 192.168.1.250 255.255.255.0 ip access-group 110 in ip nat inside speed 100 full-duplex ! interface FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.10.250 255.255.255.0 ip access-group 110 in ip nat inside no snmp trap link-status ! interface FastEthernet0.20 encapsulation dot1Q 20 ip address 192.168.20.250 255.255.255.0 ip access-group 110 in ip nat inside no snmp trap link-status ! interface FastEthernet0.30 encapsulation dot1Q 30 ip address 192.168.30.250 255.255.255.0 ip access-group 110 in ip nat inside no snmp trap link-status ! interface FastEthernet0.100 encapsulation dot1Q 100 ip address 192.168.100.250 255.255.255.0 ip access-group 110 in ip nat inside no snmp trap link-status ! interface FastEthernet0.200 encapsulation dot1Q 200 ip address 192.168.200.250 255.255.255.0 ip access-group 110 in ip nat inside no snmp trap link-status ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.1 no ip http server ! ! logging 192.168.100.1 access-list 110 deny tcp any any eq 1214 log-input access-list 110 deny tcp any any eq 1337 log-input access-list 110 deny tcp any any eq 2234 log-input access-list 110 deny tcp any any eq 5534 log-input access-list 110 deny tcp any any range 4000 4100 log-input access-list 110 deny tcp any any eq 4500 log-input access-list 110 deny tcp any any range 9000 9100 log-input access-list 110 deny tcp any any range 5500 5503 log-input access-list 110 deny tcp any any eq 7778 log-input access-list 110 deny tcp any any eq 6667 log-input access-list 110 deny tcp any any eq 2323 log-input access-list 110 deny tcp any any eq 4242 log-input access-list 110 deny tcp any any range 6346 6352 log-input access-list 110 deny tcp any any range 6881 6889 log-input access-list 110 deny tcp any any eq 6969 log-input access-list 110 deny tcp any any eq 8875 log-input access-list 110 deny tcp any any eq 4444 log-input access-list 110 deny tcp any any eq 5555 log-input access-list 110 deny tcp any any eq 6666 log-input access-list 110 deny tcp any any eq 7777 log-input access-list 110 deny tcp any any eq 8888 log-input access-list 110 deny tcp any any eq 6699 log-input access-list 110 deny tcp any any eq 6257 log-input access-list 110 deny tcp any any eq 4329 log-input access-list 110 deny tcp any any range 4000 4999 log-input access-list 110 deny tcp any any eq 3128 log-input access-list 110 deny tcp any any eq 8088 log-input access-list 110 deny tcp any any eq 11523 log-input access-list 110 deny tcp any any range 81 83 log-input access-list 110 permit ip any any

Reply to
psykotic
Loading thread data ...

If your firewall supports dot1q,you can do it,but You the better purchase an ethernet wic to make this work,it will make your network more security.

Reply to
shen

Yes,u can do it,but i advise u to purchase an ethernet wic to make this work,it will make your network more security

Reply to
shen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.