Cisco Configuration Question

Gambler

I have a quick question, I have 4 Cisco routers connected to ADSL in four locations with a VPN set up between them all and internet going straight out to the net from each point.

This is all working hunky dory but I want to add a client machine that will have internet access but no access to the Local Area Network. I have a firewall box and I thought it would be enough to set the WAN on the Firewall box with a LAN address same as router and then on the lan side to use a different IP address range but the NAT on the firewall box is automatically giving it access to the router and by proxy the whole damn Network. Is there a way to deny a single IP address access to the VPN's and the LAN?

Any other suggestions for how to give this single machine internet access without opening my network for a can of worms?

Thanks in Advance,

Gambler

bazooka

what type of cisco routers are they? which one will the client be accessing out through?

Gambler

It's a Cisco 827 (The 800 Series ADSL Routers)

There is one router on each site, is that what you mean?

bazooka

its been a while since i worked with one of those boxes, is it possible to configure one ethernet port on one subnet and another on another subnet, eg:

eth0 192.168.1.x
eth1 192.168.2.x

then setup dhcp for the visitor side accessing out through the same adsl that is being accessed using NAT, this is possible using the 1700 series, i have previously configured this with wireless ap on the visitor subnet and it works well...

Gambler

I thought of that and there are four ethernet ports at the back but when I had a quick look at it it seemed to only recognise ETH0 as an interface.. Didn't spend too long looking at that, may have another goo at it tonight

bazooka

yeah i am not sure whether you will be able to configure each eth port individually...as i say its be a while, i would doubt it though to be honest, not at the price point for the 800 series...

another option would be yo use a sonicwall firewall (TZ170) behind the 800 box, and then use the OPT port on that (essentially creating a DMZ port) that would allow segmented internet access for visitors...it would mean spending money, but you would be sure that it is secure as hell

rash

Can you supply a simple diagram of your setup, and where the Firewall that you mentioned in your initial post sits. (can you also advise the type of firewall)

My reading of your post is suggesting that your normal office clients are connected to the LAN segment directly connected to the 827 (protected from the outside internet by the SPI Firewall on the 827), you are then using the "firewall" to create a second network segment for the "dirty client".

Gambler

Internet
|
Cisco 827

---

LAN
|
MRI Firewall
|
"Dirty Client"

The Cisco Router has a ETH0 Address of 10.0.0.1
MRI Firewall has a WAN port address of 10.0.0.20 and a DHCP Server giving LAN clients a 192.168.0.60 - 150 Address Range (Only one machine at the moment but you never know what may happen and DHCP is handy when it is built in like that)

There is a server running a DHCP Server on the LAN section giving out 10.0.0.50-254 addresses.

Need any more info?

rash

Never heard of the MRI make before!!....is it a true firewall or does it just offer "network protection" using NAT?.
If you have control over packet filters on the MRI, you could just add in a few rules to Deny access to destination address 10.0.0.0/24, and to Deny access to your remote LANs.

jayok

Looking at your configuration I assume that the Cisco 827's are acting as a NATing firewall as well as a LAN port.

There is a number of ways to do this but you could get the configuration going this way. Assume for the moment that your LAN IP is 192.168.0.0/24. And that the default route of your LAN is 192.168.0.254

On the Cisco box reserve a static IP address from the DHCP pool specifically for the MRI firewall (I am not familiar with this MRI unit, but I assume it works like most other firewalls).

Statically set the MRI firewall with an external IP address of say 192.168.0.253 but with a network subnet of 255.255.255.252 (/30) This means that the default gateway is only accessible to MRI firewall and no other address is. Using NAT and your rule base in the MRI firewall you can then setup and additional subnet for the dirty client (e.g. 192.168.168.0/24) and regulate access from there.

Of course you could drop the firewall altogether and subnet at the client, but if your running any other protocols on the network then it's better to have the firewall filter this stuff.

ressem

Looks like the MRI is on the same switch as the LAN, and it's configured to see the LAN as the external network.

For the MRI firewall (can't see it at mri.co.uk, maybe from elsewhere, any more details? If you've got good routing control, you're sorted)
Should have a static IP.
Should refuse outgoing traffic to any LANs subnet.
Should route all traffic to the router/ have the gateway set to the router.
Only allow certain well known outgoing ports and no incoming requests.

Cisco router should then block all traffic from the MSI firewall from being routed onto an internal subnet. How familiar are you with the cisco console?

---

Other probably completely useless options:
>Don't suppose that you've a layer 3 switch for the Lan? Set up untrusted clients on a VLAN and route out. Not very secure, but not the worst either.
>Get a cisco with 2 real ethernet ports, so one can be set as the DMZ.
>Get a firewall behind the router to be the VPN endpoint.
>Replace MRI with linux box, 2 NIC for a more capable dmz,

All of little use since we don't know capabilities of the MRI