Firewall Config on 1700 IOS


I just added a WIC to our 1700 to provide a 2nd subnet to our office.

I would like to keep subnet 1 and subnet 2 from seeing each other.

Do I need to put another access list on the e0 interface that says, basically, permit to the internet, but deny to


Router1721# Router1721#sh run Building configuration...

Current configuration : 1610 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router1721 ! logging queue-limit 100 enable secret 5 WNZ. enable password 7 0019 ! ip subnet-zero ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key AbCdE123 address ! ! crypto ipsec transform-set To_VPN esp-3des esp-md5-hmac ! crypto map To_VPN 10 ipsec-isakmp set peer set transform-set To_VPN match address 110 ! ! ! ! interface Ethernet0 ip address ip nat inside half-duplex ! interface FastEthernet0 ip address ip nat inside speed auto full-duplex ! interface Serial0 bandwidth 832000 ip address ip nat outside no fair-queue crypto map To_VPN !

ip nat inside source route-map nonat interface Serial0 overload ip classless ip route Serial0 no ip http server no ip http secure-server ! ! ! access-list 1 permit access-list 110 permit ip access-list 120 deny ip access-list 120 permit ip any access-list 120 permit ip any ! route-map nonat permit 10 match ip address 120 ! ! line con 0 line aux 0 line vty 0 3 password 7 1D login line vty 4 password 7 035 login ! end

Reply to
Loading thread data ...


I think the simplest solution would be like you say to add an access-list to e0.

I am not sure if there are any other ways of doing it. Something like this:

access-list xxx deny ip access-list xxx permit ip any

Apply the access-list inbound on e0.

You could also add an access-list to fa0 to deny traffic to the 10. subnet to make it more concrete.


Reply to
RobO Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.