Results 1 to 5 of 5

Thread: Interesting Configuration

  1. #1
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828

    Interesting Configuration

    There is a CISCO 2821 connected with the incoming T1 lines, but the outgoing ports are misconfigured. Would one out going port go into the router and one into the firewall or would both go into the firewall?

    Wouldn't this configuration cause traffice to jump the firewall?

  2. #2
    Senior Member mungyun's Avatar
    Join Date
    Apr 2004
    Location
    Illinois
    Posts
    172
    I don't think that you would need two connections to the firewall. You would only have to connect one of the routers ports to the firewall and then the firewall to the switches or whatever.

    Wouldn't this configuration cause traffice to jump the firewall?
    If you mean connecting one port of the router to the firewall and the other one to a switch, then I would guess it would skip the firewall but I am not too sure. Traffic would probably go out of both ports, the one connected to the firewall would be accepted or denied, but even if it were denied, the other port would send it straght to the network. But I don't see why anyone would want to do that. Each of the two ports on the router should connect to separate networks so you should only need one connection to the firewall.

    Never tried doing anything like that so I couldn't tell you exactly what would happen.
    I believe in making the world safe for our children, but not our children’s children, because I don’t think children should be having sex. -- Jack Handey

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Little confused about your setup, but I'll take a stab at this.

    From what I understand you have 2 ports from the router that are for the internal network?

    One goes to a firewall, and the other to the network bypassing the firewall?


    If this is the case, then it would depend on how the router is configured, maybe the one thats not plugged into the firewall is for a "DMZ" type connection for servers? You can configure the cisco routers to only forward traffic for certain IP's to X interface, and send traffic for any other IP to Y interface.



    So I guess what I'm saying is, it depends on how your router is configured. It could be bypassing the firewall completely, or it could all be going through the firewall.


    If you want, post a somewhat more detailed network map for your T1's, router, firewall...and if you want to, post your cisco router config (show running-config). I'll take a look at it and see if I can see anything as to how traffic is handled.
    =

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Hi,

    If you mean connecting one port of the router to the firewall and the other one to a switch, then I would guess it would skip the firewall but I am not too sure. Traffic would probably go out of both ports,
    Not really, it would make a routing decision based on how it has been configured, it would never broardcast out on all interfaces.

    It is not a conventional setup the way you are trying to do it...

    Without knowing more details, it is hard to give detailed help but a more secure way would be to put the firewall in front of the router, directly connected to the incoming T1 link.

    Then have a default route from the firewall to the next hop router, which will the route traffic according to your configuration, you can put further ACL's on the router to add an extra layer of security if needs be.

    Code:
    ------>----T1------> |Firewall|--->---->----> |Router|---->---->Switch and inside network
    Or as cheyenne mentioned, if you have/want a DMZ, you could put the router with ACL's in front with the DMZ on one interface, then the other interface goes directly to the firewall and then on to your inside network, or depending on what firewall you have you can have the DMZ on a firewall interface and put the firewall in front of the router again.

    Code:
    --->---T1--->--|Router|----->------> |firewall|---->---->--- |inside network|
                      |
                      |
                    |DMZ|
    Or


    Code:
    --->---T1--->--|Firewall|----->------> |Router|---->---->--- |inside network|
                       |
                       |
                     |DMZ|
    Or even

    Code:
    --->---T1--->--|Firewall|----->------> |Router|---->---->--- |inside network|
                                               |
                                               |
                                             |DMZ|

    If you just have the one IP subnet on the network, you could even scrap the router altogether and just have the Firewall on the perimeter and connect the switch to the inside interface of it.

    Is this similar to what you are tying to set up?

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    yeah post your router config here, and a diagram if you can.


    It'll make it easier for us to see how its setup.
    =

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •