We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Cisco 2800 Series Router  - Routing Internet & Private Line

Medium Priority
Last Modified: 2013-11-29
I have a 2800 Series router and I will be using it to replace an older 2600 series router that does nothing but route a T1 to the Firewall.  The T1 connection is through a serial WIC/T1 card and the T1 is terminated through an Adtran unit.

I also have another 1600 series router that connects the LAN to a remote office via a private line connected to the router via a serial WIC/T1 Card.

Separately both of these connections are very easy to configure and route within the LAN.

My Question is this....
How can I combine both of the connections into the one external router, and guarantee that the Private line is secure from the internet line??
Watch Question

Easy.  Just purchase the router with the "Advanced Security" feature set, & enable CBAC on the Internet interface (more advanced firewalling than plain old ACLs), to protect your internal subnets (local LAN or remote subnet via private T1) from external attacks or connection attempts.

   Configuring CBAC - IOS 12.4:
   Some tips on securing routers:
   Bookmark the "Cisco Security Advisories" page, & check it often:



There is no way to do it without the feature set?

For instance configure both Serial interfaces then route serial 0 (internet to E0) plugged into firewall and router serial 1 to E1 plugged into Lan?

Would the lan be open to the internet configuration?
>There is no way to do it without the feature set?
   Not to worry, there are other ways to secure your WAN interface, but CBAC is by far the most intelligent & secure method to filter traffic.  If your current IOS version doesn't support it, you could make do with "Reflexive ACLs":

Quick test to see if your router supports CBAC -> in config mode run: "ip inspect ?"  If you get a list of options, CBAC is supported; otherwise, you'll get an "Unrecognized command" error.

Even simpler but much less effective than reflexive ACLs or CBAC, is to just use plain old extended ACLs, with the "established" keyword for TCP traffic.  For example, if your WAN interface is Serial0, & you only wanted to allow incoming ICMP, replies to DNS queries, & replies to TCP traffic initiated from the inside:

access-list 100 permit tcp any any established
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any

interface Serial0
ip access-group 100 in

BTW, there's an implied "deny everything else" at the end of every ACL, so whatever isn't allowed in an ACL is blocked. So in the example above, incoming UDP traffic on any port other than port 53 is blocked.

>For instance configure both Serial interfaces then route serial 0...
   Don't overthink this... ;)  As long as you properly filter inbound traffic on your WAN (Internet) interfaces, your internal networks (local LAN & your private T1 connection) are protected.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.