I am trying to setup my 2514 with 12.2 IOS firewall.

What I want to do is use my E0 as local lan , and use E1 as DMZ. S0 being the interface connected to Internet and s1 connected to another router which will be our WAN connected to remote office.

the way it should be is how PIX firewall works.

that is any traffic from E0 going to E1, S0 and S1 should be permitted. Traffic coming back to E0 from any interface with the exception of S1 (WAN interface to remote office) should be denied.

Traffic from E1 (DMZ) should be permitted to go out to S0 (internet interface) and denied everywhere else. Traffic from S1 (Wan interface) should be permitted to E0 and E1 except S0.

Can someone help me with the access-list here..

Below is my unsuccesful attempt

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname NewYork

!

enable secret xxxx

enable password technology

!

ip subnet-zero

no ip source-route

!

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name standard cuseeme

ip inspect name standard ftp

ip inspect name standard h323

ip inspect name standard http

ip inspect name standard rcmd

ip inspect name standard realaudio

ip inspect name standard smtp

ip inspect name standard sqlnet

ip inspect name standard streamworks

ip inspect name standard tcp

ip inspect name standard tftp

ip inspect name standard udp

ip inspect name standard vdolive

!

!

!

!

interface Ethernet0

ip address 172.16.10.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

ip inspect standard in

no cdp enable

!

interface Ethernet1

ip address 172.16.20.1 255.255.255.0

ip access-group 111 in

ip inspect standard out

no cdp enable

!

interface Serial0

ip address 192.168.20.1 255.255.255.0

ip access-group 121 in

shutdown

no cdp enable

!

interface Serial1

ip address 192.168.10.1 255.255.255.0

ip access-group 131 in

ip access-group 102 out

shutdown

no cdp enable

!

ip classless

no ip http server

ip pim bidir-enable

!

!

logging 172.16.10.110

access-list 101 permit icmp 172.16.10.0

0.0.0.255 any

access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 101 deny ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 101 deny ip 192.168.20.0 0.0.0.255 172.16.10.0 0.0.0.

access-list 102 deny ip 172.16.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 permit ip any any

access-list 111 deny ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 111 deny ip 172.16.20.0 0.0.0.255 172.16.30.0 0.0.0.255

access-list 111 permit ip 172.16.20.0 0.0.0.255 any

access-list 111 permit icmp 172.16.20.0 0.0.0.255 any

access-list 111 deny ip any any

access-list 121 permit udp any host 172.16.20.3 eq domain access-list 121 permit tcp any host 172.16.20.3 eq domain access-list 121 permit tcp any host 172.16.20.3 eq www access-list 121 permit tcp any host 172.16.20.3 eq ftp access-list 121 permit tcp any host 172.16.20.3 eq ftp-data access-list 121 permit tcp any gt 1023 host 172.16.20.3 gt telnet access-list 121 permit tcp any host 172.16.20.3 eq smtp access-list 121 permit icmp any 172.16.20.0 0.0.0.255 administratively-prohibited access-list 121 permit icmp any 172.16.20.0 0.0.0.255 echo access-list 121 permit icmp any 172.16.20.0 0.0.0.255 echo-reply access-list 121 permit icmp any 172.16.20.0 0.0.0.255 packet-too-big access-list 121 permit icmp any 172.16.20.0 0.0.0.255 time-exceeded access-list 121 permit icmp any 172.16.20.0 0.0.0.255 traceroute access-list 121 permit icmp any 172.16.20.0 0.0.0.255 unreachable

access-list 121 deny ip any any

access-list 131 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 131 permit ip 192.168.10.0 0.0.0.255 172.16.20.0 0.0.0.255

access-list 131 deny ip any any

no cdp run

!

!

line con 0

line aux 0

line vty 0 4

password xxxx

login

!

end