Cisco 871 -- Bridge Mode
in [Cisco]
|
Prev: (Cash Paid for Used I.T. Equipment) Attn: CTO, CIO, COO, I.T Director, I.T. Manager, Network Administrator:
Next: connecting a cucme router via t-1 to main cucm server for internal calls
From: Vincent on 25 Feb 2010 22:57 If I place a Cisco 871 in bridging mode and put a dedicated firewall behind it, am I still able to assign extended ACL's to the bridged interface? Or is it only able to handle standard ACL's? Thanks. Vincent
From: bod43 on 26 Feb 2010 04:24 On 26 Feb, 03:57, Vincent <animedrea...(a)verizon.net> wrote: > If I place a Cisco 871 in bridging mode and put a dedicated firewall > behind it, am I still able to assign extended ACL's to the bridged > interface? Or is it only able to handle standard ACL's? I have no idea if any IP ACLs work in bridge mode but I would think that if standard ones work then extended ones will too. You can always NAT on the router and NAT on the firewall too. router outside - Public IP NAT here router inside 10.0.0.1 firewall outside 10.0.0.2 NAT here too firewall inside - Private IP Obviously if you do complex NAT then it will be more work and more irritating but I have done this with IPSEC on the firewall and all was OK. DSL router (not cisco) and PIX.
From: Vincent on 26 Feb 2010 12:54 On Feb 26, 4:24 am, bod43 <Bo...(a)hotmail.co.uk> wrote: > On 26 Feb, 03:57, Vincent <animedrea...(a)verizon.net> wrote: > > > If I place a Cisco 871 in bridging mode and put a dedicated firewall > > behind it, am I still able to assign extended ACL's to the bridged > > interface? Or is it only able to handle standard ACL's? > > I have no idea if any IP ACLs work in bridge mode > but I would think that if standard ones work then > extended ones will too. > > You can always NAT on the router and NAT on the firewall too. > > router outside - Public IP > NAT here > router inside 10.0.0.1 > firewall outside 10.0.0.2 > NAT here too > firewall inside - Private IP > > Obviously if you do complex NAT then it will be > more work and more irritating but I have done this with > IPSEC on the firewall and all was OK. > DSL router (not cisco) and PIX. Well, maybe I am going about this the wrong way...I want to create the following setup: T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT) | DMZ My thoughts were that I could place the Cisco 871 in bridged mode, but still have it perform IP filtering to prevent a bunch of junk from hitting the firewall. But, since it is bridged, the IP address will be assigned directly to the firewall. One of the public IP addresses will be used to serve the internal LAN and the other public IP addresses will be assigned to machines within the DMZ. Is it possible to assign ACL's to a bridged interface? If not, that defeats the primary purpose of the Cisco 871 as a filtering device. Is there a better way to do what I am trying to accomplish? I have been assigned a x.x.x.x/28 subnet from my ISP. Thanks! Vincent
From: Vincent on 26 Feb 2010 12:56 On Feb 26, 4:24 am, bod43 <Bo...(a)hotmail.co.uk> wrote: > On 26 Feb, 03:57, Vincent <animedrea...(a)verizon.net> wrote: > > > If I place a Cisco 871 in bridging mode and put a dedicated firewall > > behind it, am I still able to assign extended ACL's to the bridged > > interface? Or is it only able to handle standard ACL's? > > I have no idea if any IP ACLs work in bridge mode > but I would think that if standard ones work then > extended ones will too. > > You can always NAT on the router and NAT on the firewall too. > > router outside - Public IP > NAT here > router inside 10.0.0.1 > firewall outside 10.0.0.2 > NAT here too > firewall inside - Private IP > > Obviously if you do complex NAT then it will be > more work and more irritating but I have done this with > IPSEC on the firewall and all was OK. > DSL router (not cisco) and PIX. Well, maybe I am going about this the wrong way...I want to create the following setup: T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT) | DMZ My thoughts were that I could place the Cisco 871 in bridged mode, but still have it perform IP filtering to prevent a bunch of junk from hitting the firewall. But, since it is bridged, the IP address will be assigned directly to the firewall. One of the public IP addresses will be used to serve the internal LAN and the other public IP addresses will be assigned to machines within the DMZ. Is it possible to assign ACL's to a bridged interface? If not, that defeats the primary purpose of the Cisco 871 as a filtering device. Is there a better way to do what I am trying to accomplish? I have been assigned a x.x.x.x/28 subnet from my ISP. Thanks! Vincent
From: Vincent on 26 Feb 2010 12:57
On Feb 26, 4:24 am, bod43 <Bo...(a)hotmail.co.uk> wrote: > On 26 Feb, 03:57, Vincent <animedrea...(a)verizon.net> wrote: > > > If I place a Cisco 871 in bridging mode and put a dedicated firewall > > behind it, am I still able to assign extended ACL's to the bridged > > interface? Or is it only able to handle standard ACL's? > > I have no idea if any IP ACLs work in bridge mode > but I would think that if standard ones work then > extended ones will too. > > You can always NAT on the router and NAT on the firewall too. > > router outside - Public IP > NAT here > router inside 10.0.0.1 > firewall outside 10.0.0.2 > NAT here too > firewall inside - Private IP > > Obviously if you do complex NAT then it will be > more work and more irritating but I have done this with > IPSEC on the firewall and all was OK. > DSL router (not cisco) and PIX. Well, maybe I am going about this the wrong way...I want to create the following setup: T1--->Cisco 871 (Bridged, IP Filter)--->Firewall--->LAN (NAT), DMZ My thoughts were that I could place the Cisco 871 in bridged mode, but still have it perform IP filtering to prevent a bunch of junk from hitting the firewall. But, since it is bridged, the IP address will be assigned directly to the firewall. One of the public IP addresses will be used to serve the internal LAN and the other public IP addresses will be assigned to machines within the DMZ. Is it possible to assign ACL's to a bridged interface? If not, that defeats the primary purpose of the Cisco 871 as a filtering device. Is there a better way to do what I am trying to accomplish? I have been assigned a x.x.x.x/28 subnet from my ISP. Thanks! Vincent |