Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2777
Views
0
Helpful
4
Replies

Creating DMZ in 2900 Series router.

Raghavendra Rai
Level 1
Level 1

‎05-13-2011 04:39 AM - edited ‎03-06-2019 05:02 PM

Hello all,

I have a 2900 series router with SM-ES3G-24-P service module(24 port switch).

In the switch module I have created 2 Vlans,port 1-12 will be in VLAN-1 and port 12-24 will be in VLAN 10.

in port 1-12 end systems will be connected who just need internet connection,and in port 13-24(VLAN 10) Few public servers need to be connected.

I have configured Inter-vlan communication in the switch, so that these private users can also access the public server.

From the Service module (Switch) there is a Gigabit connection to the router from backend. i.e port # 26 in the switch and port # Gi 1/0/1 in router.

But there is a port 25 in the switch, not sure what is the purpose of this switch.

In the router I have configured NATing for private users (for port 1-12). And servers have public IP addresses.

Now I need to configure full firewall for these private users and need to put the servers in DMZ.

As this service module(Switch)  is connected to the router using only one port, how can i configure firewall for 12 users and DMZ for the remaining??

Can you please help??

Thanks,

Raghavendra

Labels:
0 Helpful
4 Replies 4

sean_evershed
Level 7
Level 7

‎05-13-2011 04:55 AM

Assuming you have the correct license, one option is to configure a Zone Based firewall on your router.

See below a configuration example for an Internal, DMZ and External zones.

https://supportforums.cisco.com/docs/DOC-13507

Please remember to rate all posts that are helpful.

0 Helpful

Raghavendra Rai
Level 1
Level 1
In response to sean_evershed

‎05-13-2011 05:10 AM

Hi Sean,

Thank you for the qick response.

In this case ( in your example)  it has 3 intefaces in the router.

interface FastEthernet0/0 (private-users)

     zone-member INSIDE

interface FastEthernet0/1( public-servers)

     zone-member DMZ

interface FastEthernet0/2 ( internet- connection)

     zone-member OUTSIDE

In my case I have used only Two interface of the Router.

One is Gig 0/0 ----- Internet connection.

Other one is gi 1/0------ Connection to the switch

Here the 24 port switch  which i have used is a service module in the router, and it has only one physical port connection from the back end.

As far as my knowledge we can not have 2 ports from router to switch(service-module)

Can you please help me in this case?

Thanks,

Raghavendra

T

0 Helpful

sean_evershed
Level 7
Level 7
In response to Raghavendra Rai

‎05-13-2011 06:12 AM

Hi, You can create subinterfaces and assign them to zones, eg

Fas 0/0.1

zone-member INSIDE

Fas 0/0.2

zone-member DMZ

0 Helpful

Raghavendra Rai
Level 1
Level 1
In response to sean_evershed

‎05-13-2011 11:47 PM

Hi,

Correct, it seems like this should be the solution.

But in my case Switch is a service module in the router, and it has to be connected by a link using seperate ip subnet.

Port 1-12(VLAN-1) ---|

                              |

                              -----(InterVlan using SVI)--Switch (Service-module)----Int Gig 26 (IP-192.168.1.1)--------Router InterfaceGig1/0(192.168.2.1)

                              |

Port 13-24(VLAN10)-|

Now I need to create subinterfaces in Gig1/0 of router(2921) which is internally connected to gig 26 of the switch.

now according to your solution i should direct traffic flowing from VLAN 1 to one sub-interface and should direct VLAN 10 traffic to the other subinterface.

But i dont see any document which shows how we can configre suinterface on an interface connecting to the service module on 2900 series router.


Can you please help?

Thanks,

Raghavendra

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card