Separting Internet Connection

[Shando]

Hi,
We have 3 sites that are tied together with T1s, and the ASA firewall is in the main office.
Hi All,
Is there a way where we can give each site their own
Comcast connection, instead of using the Comcast connection through the main site while having the sites stay connected with the T1s ? I dont want to wind up having a firewall at each site.

If this is feasible using IP routing, and ACL policies on the cisco 2600 routers, do you think not having a firewall at each location would have a security risk, and would it be better to have a firewall?

We manage the routers, there is cisco 2600 at each site. So, how can we do this through the routers at each location and keep non internet trafic floating through the main fw?

Thank you for your help...

 

[unclerico]

sure. on each of the 2600's configure the zone-based firewall. you MUST have a firewall with stateful inspection otherwise you open yourself up to bad things. you'll need to change your routing at the remote locations so that you have a default route to the internet and then specific routes to go over the T1's for traffic destined for the other locations.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Shando]

So I need a firewall at each location, beside, the routers'zone based firewall config?

Do I need ACL to be configured on the routers side?

can you please give more details on how to do this and anything I need to watch for?

thank you for your quick response!

 

[unclerico]

it all depends on your security requirements. do you want to permit any and all traffic outbound??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Shando]

ftp, and web only.