Cisco Router and Firewall

[tntsysmgr]

We have a small office network (50 users) connected to the internet with DSL via a Cisco 1417 Router.

What are firewall options. We have a mail server, web server and FTP server that will need to be "visible" to the outside, but none of the production servers or users should be.

Can I add, for example, a Linksys broadband router between the 1417 and the network. It is inexpensive and appears easy to configure?

 

[DanielBowen]

Best way to do this is to use a three tier Firewall design.
By this I mean, that you have an outsidfe filtering router, an isolation network (DMZ) and an internal filtering router.
All servers that need to be visible to outside world go into the DMZ which has its own subnet range. You then configure an access list on the external filtering router to forward all traffic to both internal network and DMZ. There is then another access list on the DMZ interface, permitting or denying traffic and the same on the internal LAN.

This is the basis, if you want anymore help give me your mail address and I'll send you some diagrams

Daniel,

 

[tntsysmgr]

I think a understand most of what you are saying and according to the tech docs for the Linksys router it appears able to do what you suggest.

Before I proceed I guess my first question concerns problems I may encounter connecting a router (the Linksys Broadband) to a router (the Cisco 1417). The Cisco also serves as the DSL modem.

Thanks.

 

[DanielBowen]

I presume that this Linksys router is the Firewall?

The way I have mine setup at present, is to have a DMZ coming out of the second router (Cisco router). This means that the Cisco will need twin Ethernet or FE ports (one for each network).
As far as I remember, the 1417 has just the one Ethernet port with an attached DSL modem. This will cause a problem.

There should be no problem with connecting the two routers, as long as you use an encapsulation method that they both understand

 

[sparkyman]

Why not get a "stateful" firewall (eg Nokia, checkpoint on NT etc), and if using NT install a 3rd nic (Nokia 330 has 3 nics). In this way you can have a DMZ hanging off the firewall, with all your rules protecting your internal network. You can implement NAT on the firewall, requiring only one valid IP address for your entire internal network. Obviously you will need a couple of valid IP's for your visable servers.
This setup is very secure if you implement your rules correctly, and not difficult to administer.

 

[wybnormal]

I agree with replacing the Linksys.. I have one.. I took it out and replaced it with a Webramp 700s which just plain rips over the Linksys. I run the 3 tier with a commserver in the DMZ and a web based interface to my Exchange box.. the linksys was very hit and miss to it passing static NAT mappings.. the webramp is solid each and every time. Not to mention it's stateful inspection and has caught several attacks before they get to my "real" firewall (2514)

Webramps are very cheap now on Ebay ( under 100 bucks) or you can get the exact thing from SonicWall or a different flavor from Nokia which bought the Webramp name.

Like Daniel, I could supply a Visio diagram of how mine is setup if you have an interest.

MikeS
Find me at

http://www.packetattack.com

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin