Link to home
Start Free TrialLog in
Avatar of MaltusW
MaltusW

asked on

Cisco 5505 Firewall routing between subnets

Hi,
This is the setup I have for an external connection. This external connection is for our boardrooms so people from outside the company can connect to the internet without getting on our LAN.


The outside connection provided by our ISP plugs into the Cisco 5505 Firewall.  Through a series of simple risers, a Dlink router located in the boardroom is attached to this firewall.  There is a series of 4 routers attached to this firewall.  

I have assigned each router with an External IP address under the "manual Internet connection" tab.  For example, router 2 would have an IP of 192.168.1.2.  The 3rd router in the 3rd boardroom would be 192.168.1.3, etc etc.  When traffic is flowing through the FW, this is the IP it sees.  

The Gateway (Cisco Firewall) is 192.168.1.1

Now, each router also has its own IP address.  For example, router 2 would have an IP of 192.168.2.1.  The 3rd router in the 3rd boardroom would be 192.168.3.1, etc etc.  So if a PC that is connected to this router does an IPCONFIG the Gateway would be this.  

After all of that, each router gets to the internet great and everyone is happy.  But my question is:
I am on another router, 192.168.1.13 (external IP; the internal IP is 192.168.10.101) that only the IT people are allowed to be on.  It is attached to this firewall as well.  I want to be able to connect to each of the segments from mine so I can configure the routers without visiting each boardroom and having to connect to it.  For example, my PC, 192.168.10.101 needs to be able to connect to the 2nd floor boardroom router at 192.168.2.1.  But I also want to make sure no one can go from one of the boardrooms to the IT router.

Am I making sense?  

thx in advance
Avatar of John Meggers
John Meggers
Flag of United States of America image

Generally speaking, you would put an access-list inbound on the inside interface of the 5505 that denies the other addresses from going to anything in the private address range, but permits everything else, and you have to make sure you permit "hair pinning" the traffic. Are you NATing on the internal routers? If not, then the source address of the traffic would be from each of the internal subnets; if you are, then the source address would be the specific IP on the outside of the router. Assuming the guest IP addresses are 192.168.1.x to 192.168.4.x, and your inside interface is named "Inside" try this:

object-group network GUESTS
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
object-group network Private_nets
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.255.240.0
 network-object 192.168.0.0 255.255.0.0
access-list Guest_ACL remark permit admin traffic
access-list Guest_ACL permit ip host 192.168.10.101 any
access-list Guest_ACL remark deny access inside but permit Internet
access-list Guest_ACL deny ip object-group GUESTS object-group Private_nets
access-list Guest_ACL permit ip object-group GUESTS any
access-list Guest_ACL remark permit all other traffic
access-list Guest_ACL permit ip any any

access-group Guest_ACL in interface Inside
same-security-traffic permit intra-interface


Let me know if that doesn't do what you want.
Avatar of MaltusW
MaltusW

ASKER

Hi, sorry for the delay.  I was away the last couple of days.  I will try that and see what happens.  I have attached a pdf that will hopefully provide a little more clarifications.  The green arrow in the diagram is the direction of the traffic that needs to be permitted.  Also, would I not have to configure each router as well to allow the traffic?  Thanks again
wireless.pdf
ASKER CERTIFIED SOLUTION
Avatar of John Meggers
John Meggers
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial