[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

Cisco 2800 Series Router - Routing Internet & Private Line

I have a 2800 Series router and I will be using it to replace an older 2600 series router that does nothing but route a T1 to the Firewall.  The T1 connection is through a serial WIC/T1 card and the T1 is terminated through an Adtran unit.

I also have another 1600 series router that connects the LAN to a remote office via a private line connected to the router via a serial WIC/T1 Card.

Separately both of these connections are very easy to configure and route within the LAN.

My Question is this....
How can I combine both of the connections into the one external router, and guarantee that the Private line is secure from the internet line??
  • 2
1 Solution
Easy.  Just purchase the router with the "Advanced Security" feature set, & enable CBAC on the Internet interface (more advanced firewalling than plain old ACLs), to protect your internal subnets (local LAN or remote subnet via private T1) from external attacks or connection attempts.

   Configuring CBAC - IOS 12.4:
   Some tips on securing routers:
   Bookmark the "Cisco Security Advisories" page, & check it often:

Rowdyone52Author Commented:
There is no way to do it without the feature set?

For instance configure both Serial interfaces then route serial 0 (internet to E0) plugged into firewall and router serial 1 to E1 plugged into Lan?

Would the lan be open to the internet configuration?
>There is no way to do it without the feature set?
   Not to worry, there are other ways to secure your WAN interface, but CBAC is by far the most intelligent & secure method to filter traffic.  If your current IOS version doesn't support it, you could make do with "Reflexive ACLs":

Quick test to see if your router supports CBAC -> in config mode run: "ip inspect ?"  If you get a list of options, CBAC is supported; otherwise, you'll get an "Unrecognized command" error.

Even simpler but much less effective than reflexive ACLs or CBAC, is to just use plain old extended ACLs, with the "established" keyword for TCP traffic.  For example, if your WAN interface is Serial0, & you only wanted to allow incoming ICMP, replies to DNS queries, & replies to TCP traffic initiated from the inside:

access-list 100 permit tcp any any established
access-list 100 permit udp any eq 53 any
access-list 100 permit icmp any any

interface Serial0
ip access-group 100 in

BTW, there's an implied "deny everything else" at the end of every ACL, so whatever isn't allowed in an ACL is blocked. So in the example above, incoming UDP traffic on any port other than port 53 is blocked.

>For instance configure both Serial interfaces then route serial 0...
   Don't overthink this... ;)  As long as you properly filter inbound traffic on your WAN (Internet) interfaces, your internal networks (local LAN & your private T1 connection) are protected.


Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now