MaltusW
asked on
Cisco 5505 Firewall routing between subnets
Hi,
This is the setup I have for an external connection. This external connection is for our boardrooms so people from outside the company can connect to the internet without getting on our LAN.
The outside connection provided by our ISP plugs into the Cisco 5505 Firewall. Through a series of simple risers, a Dlink router located in the boardroom is attached to this firewall. There is a series of 4 routers attached to this firewall.
I have assigned each router with an External IP address under the "manual Internet connection" tab. For example, router 2 would have an IP of 192.168.1.2. The 3rd router in the 3rd boardroom would be 192.168.1.3, etc etc. When traffic is flowing through the FW, this is the IP it sees.
The Gateway (Cisco Firewall) is 192.168.1.1
Now, each router also has its own IP address. For example, router 2 would have an IP of 192.168.2.1. The 3rd router in the 3rd boardroom would be 192.168.3.1, etc etc. So if a PC that is connected to this router does an IPCONFIG the Gateway would be this.
After all of that, each router gets to the internet great and everyone is happy. But my question is:
I am on another router, 192.168.1.13 (external IP; the internal IP is 192.168.10.101) that only the IT people are allowed to be on. It is attached to this firewall as well. I want to be able to connect to each of the segments from mine so I can configure the routers without visiting each boardroom and having to connect to it. For example, my PC, 192.168.10.101 needs to be able to connect to the 2nd floor boardroom router at 192.168.2.1. But I also want to make sure no one can go from one of the boardrooms to the IT router.
Am I making sense?
thx in advance
This is the setup I have for an external connection. This external connection is for our boardrooms so people from outside the company can connect to the internet without getting on our LAN.
The outside connection provided by our ISP plugs into the Cisco 5505 Firewall. Through a series of simple risers, a Dlink router located in the boardroom is attached to this firewall. There is a series of 4 routers attached to this firewall.
I have assigned each router with an External IP address under the "manual Internet connection" tab. For example, router 2 would have an IP of 192.168.1.2. The 3rd router in the 3rd boardroom would be 192.168.1.3, etc etc. When traffic is flowing through the FW, this is the IP it sees.
The Gateway (Cisco Firewall) is 192.168.1.1
Now, each router also has its own IP address. For example, router 2 would have an IP of 192.168.2.1. The 3rd router in the 3rd boardroom would be 192.168.3.1, etc etc. So if a PC that is connected to this router does an IPCONFIG the Gateway would be this.
After all of that, each router gets to the internet great and everyone is happy. But my question is:
I am on another router, 192.168.1.13 (external IP; the internal IP is 192.168.10.101) that only the IT people are allowed to be on. It is attached to this firewall as well. I want to be able to connect to each of the segments from mine so I can configure the routers without visiting each boardroom and having to connect to it. For example, my PC, 192.168.10.101 needs to be able to connect to the 2nd floor boardroom router at 192.168.2.1. But I also want to make sure no one can go from one of the boardrooms to the IT router.
Am I making sense?
thx in advance
ASKER
Hi, sorry for the delay. I was away the last couple of days. I will try that and see what happens. I have attached a pdf that will hopefully provide a little more clarifications. The green arrow in the diagram is the direction of the traffic that needs to be permitted. Also, would I not have to configure each router as well to allow the traffic? Thanks again
wireless.pdf
wireless.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
object-group network GUESTS
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
object-group network Private_nets
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.240.0
network-object 192.168.0.0 255.255.0.0
access-list Guest_ACL remark permit admin traffic
access-list Guest_ACL permit ip host 192.168.10.101 any
access-list Guest_ACL remark deny access inside but permit Internet
access-list Guest_ACL deny ip object-group GUESTS object-group Private_nets
access-list Guest_ACL permit ip object-group GUESTS any
access-list Guest_ACL remark permit all other traffic
access-list Guest_ACL permit ip any any
access-group Guest_ACL in interface Inside
same-security-traffic permit intra-interface
Let me know if that doesn't do what you want.