Firewall Behind Cisco 877 Router
I would like to implement the firewall now my Cisco router IP is :192.168.1.1/24 and configuration is below ,please advise how do i forward all the traffic to firewall let said is 192.168.100.1/24
Router#show run
Building configuration...
Current configuration : 3710 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
!
crypto pki trustpoint TP-self-signed-2342115769
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2342115769
!
!
crypto pki certificate chain TP-self-signed-2342115769
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333432 31313537 3639301E 170D3134 31303037 31373136
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33343231
31353736 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DAE3 A1371338 2BA2D41E C3B99D5A 8F074B27 D75E0454 1FD7DDFC 989EA77F
D9A22E29 2D834EA7 8DC4BD06 44F76F3B 99E819B9 9506C4B8 2D5F30E4 788A3A2D
BAD169EC DCEA880B 1FF2967D 97C172A4 B87A80EB 50641AB7 BC45EC83 A932AAC9
1BD67BBF B42A55D5 59CF756E C57F0C6F A24CFCA7 8FD2BF5E 417116A5 7C91ABBD
A0410203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 C6CA16FC
33D0FAA9 359947D9 D2492443 7ECE8455 301D0603 551D0E04 160414C6 CA16FC33
D0FAA935 9947D9D2 4924437E CE845530 0D06092A 864886F7 0D010104 05000381
81005E9F FD0064B2 58C1B2CD 96B2E4BD D5CDDECA 73B5D6E2 C403BE05 9D160408
A5DAD470 9AAAE29E 4518290B 80A9FD28 49CB3728 ED88C0B9 0A283229 94505587
5C564720 047AA867 6FD061EE 7479546C 06A5C421 D704168F FE039406 B1E00B4A
61200C83 991D21AC 6C75DAB6 1D076855 DAB00E0B 93AC5150 04BF7D2B 5F4E31D9 7E74
quit
!
!
username ciscoadmin privilege 15 secret 5 $1$JfSV$QNwaE5rHJ2ZP2fA05V
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname <My Account>
ppp chap password 0 <My Account Password>
ppp pap sent-username <My Account> password 0 <My Account Password>
ppp ipcp dns request accept
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.1.99 8082 interface Dialer0 8082
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
banner login ^C
**************************
* UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED! *
**************************
* Unauthorised access may be subject to prosecution *
* under the Crimes Act or State legislation. *
**************************
^C
!
line con 0
password cisco
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
scheduler max-task-time 5000
end
Router#show run
Building configuration...
Current configuration : 3710 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
!
crypto pki trustpoint TP-self-signed-2342115769
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2342115769
!
!
crypto pki certificate chain TP-self-signed-2342115769
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333432 31313537 3639301E 170D3134 31303037 31373136
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33343231
31353736 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DAE3 A1371338 2BA2D41E C3B99D5A 8F074B27 D75E0454 1FD7DDFC 989EA77F
D9A22E29 2D834EA7 8DC4BD06 44F76F3B 99E819B9 9506C4B8 2D5F30E4 788A3A2D
BAD169EC DCEA880B 1FF2967D 97C172A4 B87A80EB 50641AB7 BC45EC83 A932AAC9
1BD67BBF B42A55D5 59CF756E C57F0C6F A24CFCA7 8FD2BF5E 417116A5 7C91ABBD
A0410203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 C6CA16FC
33D0FAA9 359947D9 D2492443 7ECE8455 301D0603 551D0E04 160414C6 CA16FC33
D0FAA935 9947D9D2 4924437E CE845530 0D06092A 864886F7 0D010104 05000381
81005E9F FD0064B2 58C1B2CD 96B2E4BD D5CDDECA 73B5D6E2 C403BE05 9D160408
A5DAD470 9AAAE29E 4518290B 80A9FD28 49CB3728 ED88C0B9 0A283229 94505587
5C564720 047AA867 6FD061EE 7479546C 06A5C421 D704168F FE039406 B1E00B4A
61200C83 991D21AC 6C75DAB6 1D076855 DAB00E0B 93AC5150 04BF7D2B 5F4E31D9 7E74
quit
!
!
username ciscoadmin privilege 15 secret 5 $1$JfSV$QNwaE5rHJ2ZP2fA05V
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname <My Account>
ppp chap password 0 <My Account Password>
ppp pap sent-username <My Account> password 0 <My Account Password>
ppp ipcp dns request accept
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.1.99 8082 interface Dialer0 8082
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
banner login ^C
**************************
* UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED! *
**************************
* Unauthorised access may be subject to prosecution *
* under the Crimes Act or State legislation. *
**************************
^C
!
line con 0
password cisco
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
scheduler max-task-time 5000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are doing NAT in the router now then you don't have to change anything. This is simpler because if there is a problem, the firewall rules and the NAT are separate and it's easier to determine where the problem is.
ASKER
How about port forwarding ? Base from advice above is mean all the traffic coming from internet will route to firewall so i need to do port forwarding in firewall ,i am right ? do i need to remove entry below from router ?
ip nat inside source static tcp 192.168.1.100 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.1.99 8082 interface Dialer0 8082
How about entry below do i need to change to 192.168.2.0 ?
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
ip nat inside source static tcp 192.168.1.100 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.1.99 8082 interface Dialer0 8082
How about entry below do i need to change to 192.168.2.0 ?
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
ASKER