Cisco 2800 Series Router - Routing Internet & Private Line

I have a 2800 Series router and I will be using it to replace an older 2600 series router that does nothing but route a T1 to the Firewall.  The T1 connection is through a serial WIC/T1 card and the T1 is terminated through an Adtran unit.

I also have another 1600 series router that connects the LAN to a remote office via a private line connected to the router via a serial WIC/T1 Card.

Separately both of these connections are very easy to configure and route within the LAN.

My Question is this....
How can I combine both of the connections into the one external router, and guarantee that the Private line is secure from the internet line??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Easy.  Just purchase the router with the "Advanced Security" feature set, & enable CBAC on the Internet interface (more advanced firewalling than plain old ACLs), to protect your internal subnets (local LAN or remote subnet via private T1) from external attacks or connection attempts.

   Configuring CBAC - IOS 12.4:
   Some tips on securing routers:
   Bookmark the "Cisco Security Advisories" page, & check it often:

Rowdyone52Author Commented:
There is no way to do it without the feature set?

For instance configure both Serial interfaces then route serial 0 (internet to E0) plugged into firewall and router serial 1 to E1 plugged into Lan?

Would the lan be open to the internet configuration?
>There is no way to do it without the feature set?
   Not to worry, there are other ways to secure your WAN interface, but CBAC is by far the most intelligent & secure method to filter traffic.  If your current IOS version doesn't support it, you could make do with "Reflexive ACLs":

Quick test to see if your router supports CBAC -> in config mode run: "ip inspect ?"  If you get a list of options, CBAC is supported; otherwise, you'll get an "Unrecognized command" error.

Even simpler but much less effective than reflexive ACLs or CBAC, is to just use plain old extended ACLs, with the "established" keyword for TCP traffic.  For example, if your WAN interface is Serial0, & you only wanted to allow incoming ICMP, replies to DNS queries, & replies to TCP traffic initiated from the inside:

access-list 100 permit tcp any any established
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any

interface Serial0
ip access-group 100 in

BTW, there's an implied "deny everything else" at the end of every ACL, so whatever isn't allowed in an ACL is blocked. So in the example above, incoming UDP traffic on any port other than port 53 is blocked.

>For instance configure both Serial interfaces then route serial 0...
   Don't overthink this... ;)  As long as you properly filter inbound traffic on your WAN (Internet) interfaces, your internal networks (local LAN & your private T1 connection) are protected.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.