Firewall Config on 1700 IOS

Hi,

I just added a WIC to our 1700 to provide a 2nd subnet to our office.

I would like to keep subnet 1 and subnet 2 from seeing each other.

Do I need to put another access list on the e0 interface that says, basically, permit to the internet, but deny to 192.168.1.0?

Thanks

Router1721# Router1721#sh run Building configuration...

Current configuration : 1610 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router1721 ! logging queue-limit 100 enable secret 5 WNZ. enable password 7 0019 ! ip subnet-zero ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key AbCdE123 address 62.5.175.10 ! ! crypto ipsec transform-set To_VPN esp-3des esp-md5-hmac ! crypto map To_VPN 10 ipsec-isakmp set peer 62.5.175.10 set transform-set To_VPN match address 110 ! ! ! ! interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside half-duplex ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside speed auto full-duplex ! interface Serial0 bandwidth 832000 ip address 62.19.207.105 255.255.255.248 ip nat outside no fair-queue crypto map To_VPN !

ip nat inside source route-map nonat interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0 no ip http server no ip http secure-server ! ! ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 120 permit ip 192.168.1.0 0.0.0.255 any access-list 120 permit ip 10.1.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 120 ! ! line con 0 line aux 0 line vty 0 3 password 7 1D login line vty 4 password 7 035 login ! end

Reply to
CrimsonTide
Loading thread data ...

Hi,

I think the simplest solution would be like you say to add an access-list to e0.

I am not sure if there are any other ways of doing it. Something like this:

access-list xxx deny ip 10.1.1.0 0.0.0.255 192.168.1.1 0.0.0.255 access-list xxx permit ip 10.1.1.0 0.0.0.255 any

Apply the access-list inbound on e0.

You could also add an access-list to fa0 to deny traffic to the 10. subnet to make it more concrete.

Rob

Reply to
RobO

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.