Cisco 2800 Series Router  - Routing Internet & Private Line

Posted on 2006-03-21
Last Modified: 2013-11-29
I have a 2800 Series router and I will be using it to replace an older 2600 series router that does nothing but route a T1 to the Firewall.  The T1 connection is through a serial WIC/T1 card and the T1 is terminated through an Adtran unit.

I also have another 1600 series router that connects the LAN to a remote office via a private line connected to the router via a serial WIC/T1 Card.

Separately both of these connections are very easy to configure and route within the LAN.

My Question is this....
How can I combine both of the connections into the one external router, and guarantee that the Private line is secure from the internet line??
Question by:Rowdyone52
    LVL 20

    Expert Comment

    Easy.  Just purchase the router with the "Advanced Security" feature set, & enable CBAC on the Internet interface (more advanced firewalling than plain old ACLs), to protect your internal subnets (local LAN or remote subnet via private T1) from external attacks or connection attempts.

       Configuring CBAC - IOS 12.4:
       Some tips on securing routers:
       Bookmark the "Cisco Security Advisories" page, & check it often:


    Author Comment

    There is no way to do it without the feature set?

    For instance configure both Serial interfaces then route serial 0 (internet to E0) plugged into firewall and router serial 1 to E1 plugged into Lan?

    Would the lan be open to the internet configuration?
    LVL 20

    Accepted Solution

    >There is no way to do it without the feature set?
       Not to worry, there are other ways to secure your WAN interface, but CBAC is by far the most intelligent & secure method to filter traffic.  If your current IOS version doesn't support it, you could make do with "Reflexive ACLs":

    Quick test to see if your router supports CBAC -> in config mode run: "ip inspect ?"  If you get a list of options, CBAC is supported; otherwise, you'll get an "Unrecognized command" error.

    Even simpler but much less effective than reflexive ACLs or CBAC, is to just use plain old extended ACLs, with the "established" keyword for TCP traffic.  For example, if your WAN interface is Serial0, & you only wanted to allow incoming ICMP, replies to DNS queries, & replies to TCP traffic initiated from the inside:

    access-list 100 permit tcp any any established
    access-list 100 permit udp any eq 53 any
    access-list 100 permit icmp any any

    interface Serial0
    ip access-group 100 in

    BTW, there's an implied "deny everything else" at the end of every ACL, so whatever isn't allowed in an ACL is blocked. So in the example above, incoming UDP traffic on any port other than port 53 is blocked.

    >For instance configure both Serial interfaces then route serial 0...
       Don't overthink this... ;)  As long as you properly filter inbound traffic on your WAN (Internet) interfaces, your internal networks (local LAN & your private T1 connection) are protected.


    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now