| View Question |
|
|
 | ||
|
| Subject:
Firewall per subnet with 1 Cisco router
Category: Computers > Security Asked by: dcovell-ga List Price: $30.00 |
Posted:
25 Aug 2004 15:10 PDT
Expires: 04 Sep 2004 15:54 PDT Question ID: 392594 |
I have 2 subnets (10.0.1.0/24 and 10.0.2.0/24) both plugged into the same Cisco 2611xm router with the physical interface fastethernet0/0 being 10.0.1.254 and fastethernet0/1 being 10.0.2.254. The problem is I need the subnets to talk to each other but at the same time have different internet routes. The 10.0.1.0/24 subnet needs to send all internet traffic to 10.0.1.250 and the 10.0.2.0/24 subnet needs to send all internet traffic to 10.0.2.250. |
| ||
|
| There is no answer at this time. |
| ||
|
| Subject:
Re: Firewall per subnet with 1 Cisco router
From: crythias-ga on 26 Aug 2004 20:38 PDT |
The devices on the subnets need their gateways (0.0.0.0) routes to point to 10.0.1.250... at that point, in the router, have each 10.0.x.250 point to the WAN but have a static routing table (in 10.0.1) of 10.0.2.0/24 route to 10.0.2.250 and the reverse in 10.0.2... However, this is possibly tough to route properly on the same physical fe0 (depends on the IOS). The better way would actually be to have different WIC's for each network. Probably not likely to happen, but you must get two different static routes on the same physical interface. Possible? maybe, but it may not be the best in performance. |
| Subject:
Re: Firewall per subnet with 1 Cisco router
From: antoiglesias-ga on 02 Sep 2004 00:04 PDT |
In my opinion you should configure your devices in the following way: Hosts on 10.0.1.0/24 (except 10.0.1.250 and 10.0.1.254) Their default gateway should be 10.0.1.250. - Something like: ip route 0.0.0.0 0.0.0.0 10.0.1.250 Hosts on 10.0.2.0/24 (except 10.0.2.250 and 10.0.2.254) Their default gateway should be 10.0.2.250. - Something like: ip route 0.0.0.0 0.0.0.0 10.0.2.250 Device with IP address 10.0.1.250: It should have the following Static route stating that 10.0.2.0/24 is reachable Via cisco Router. - Something like: ip route 10.0.2.0 255.255.255.0 10.0.1.254 Device with IP address 10.0.2.250: It should have the following Static route stating that 10.0.1.0/24 is reachable Via cisco Router. - Something like: ip route 10.0.1.0 255.255.255.0 10.0.2.254 Cisco Router: To allow this operation it is not necessary to configure any static route in the router. From the moment you assign IP addresses to F0/0 and F0/1, it knows how to reach 10.0.1.0/24 and 10.0.2.0/24. The Operation would be as follows: 1) Let us suppose that device 10.0.1.10 needs to talk to 10.0.2.10. It would work in the following way: From 10.0.1.10 to 10.0.1.250 to 10.0.1.254(Ciscosīs F0/0) to 10.0.2.10 via F0/1 The reverse path would be: From 10.0.2.10 to 10.0.2.250 to 10.0.2.254(Ciscoīs f0/1) to 10.0.1.10 via F0/0 2) Let us suppose now that the traffic is from 10.0.1.10 to the Internet: From 10.0.1.10 to 10.0.1.250. At this point the device 10.0.1.250 takes the forwarding decission and using probably a default route would send the traffic to the propper next hop that might be, for example the Internet Service Provider's router. |
| Subject:
Re: Firewall per subnet with 1 Cisco router
From: dcovell-ga on 02 Sep 2004 10:05 PDT |
I spoke with Cisco about this as well and the answer they gave me was to set the PIX firewalls as the default gateways and then set a static route in the PIX's back to the router. The router would then connect the 2 subnets together by passing 10.0.1.0 traffic off to 10.0.1.250 and then 10.0.2.0 traffic to 10.0.2.250. Thank you for your comments as they confirm that this solutions is the best one available. I really would have liked to have the router as the default gateway but that looks like it is not going to happen. |
| Subject:
Policy Based Routing - Re: Firewall per subnet with 1 Cisco router
From: dcovell-ga on 04 Sep 2004 15:54 PDT |
Finally I spoke with another Cisco Tech who gave me the answer I was looking for. The problem with using a PIX as the default gateway is they are not designed to route traffic except internally to it's interfaces. So the previous plan that Cisco gave me failed. Policy based routing is what I was looking for but the serveral steps involved were confusing to me. I now have policy based routing on the 2611xm and it works great with the interfaces on the router acting as the default gateways. Here is the email from Cisco explining the steps and the actual commands.............. Topology: T1----PIX1---10.0.1.0------ROUTER-----10.0.2.0-----PIX2---CableModem Workstations on the 10.0.1.0 network should be sent to Internet through the T1 link, and the 10.0.2.0 network through the cable modem. Each network should be able to see the other. The original problem was that the workstations were using the PIX as a default gateway. The PIX is not able to re-route packets through the same interface in which it received them in the first place. The best way to deal with this is to change the default gateway of the workstations to point to the router. To make all this configuration work we needed to configure PBR (Policy Based Routing). This is the configuration we did: SELECTING INTERESTING TRAFFIC conf t access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 110 permit ip 10.0.1.0 0.0.0.255 any access-list 120 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 120 permit ip 10.0.2.0 0.0.0.255 any CREATING ROUTE-MAPS route-map PBR1 permit 10 match ip address 110 set ip next-hop 10.0.1.250 exit route-map PBR2 permit 10 match ip address 120 set ip next-hop 10.0.2.250 exit APPLYING PBR interface fast0/0 ip policy route-map PBR1 interface fast0/1 ip policy route-map PBR2 BIG THANKS to Ricardo Prado of Cisco for helping me with this. Hopefully this will help someone else in the future. |
If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you. |
| Search Google Answers for |
| Google Home - Answers FAQ - Terms of Service - Privacy Policy |