My netowkr at the momet is this:4mbit DSL line - range public IP from *.81 to *.87
.80 network address - not in use .81 cisco 837 router 12.3(7)T8
---------- DMZ below: .82 ftp server .83 www server .84 honeypot server (lol) .85 none
------- DMZ end.
.86 symantec vpn hardware appliance 100 .87 broadcast address - not in use
secure lan : 192.168.0.xxx (nat behind symantec firewall IP .86)
Actually i use ACL on my router, I used IDS but after the latest IOS, the IDS only disrupts my communications, ftp etc... I cannot figure out wich patterns make this mess..
The public servers are first screened by ACL rules on the cisco 837, then they got over them a software packet filter with stateful inspection.
I would like to implement a LARGE ACL, including spyware hosts, trojan hosts... etc, as seen on
Is the C837 suitable for this? It has 8mb flash and soon 48mb dram (now 32)
Should i put a pix 501 just behind the c 837 to screen the DMZ (and the private lan screened again by the simantec firewall) with all the long ACL ?
Would the performance be degraded ??