I have a customer who's firewall recently bricked and is unusable. This device had previously served as a VPN to their LAN from the outside world, restricted access between internal VLAN's, and provided NAT for internal addresses to reach the internet. They happened to have a Cisco 3825 laying around and I've been attempting to get this router configured to duplicate the functionality of the now deceased firewall.
The customer is requesting the following setup: VLAN 2 must not have internet access or access to VLAN 41 VLAN 42 must have internet access but no access to VLAN 41 VLAN 41 must have internet access and allowed access to VLAN's 2 and 42 My intent has been to use Reflexive Access Control List(s) to allow traffic originating from VLAN 41 into VLAN 2 & 42 and back. But numerous configuration attempts seem to break the NAT for VLAN 41 & 42, but according to customer internal segmentation of VLAN's appeared to work as requested but have since removed the RACL to restore connectivity. The 3825 is currently configured as follows: interface GigabitEthernet0/0.2 encapsulation dot1Q 2 ip address 192.168.15.254 255.255.240.0 no cdp enable interface GigabitEthernet0/0.41 encapsulation dot1Q 41 ip address 192.168.31.254 255.255.240.0 ip nat inside ip virtual-reassembly no cdp enable interface GigabitEthernet0/0.42 encapsulation dot1Q 42 ip address 192.168.47.254 255.255.240.0 ip nat inside ip virtual-reassembly no cdp enable interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address x.x.x.137 255.255.255.248 ip nat outside ip virtual-reassembly no cdp enable crypto map SDM_CMAP_1 ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1.30 overload route-map SDM_RMAP_1 permit 1 match ip address 100 access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip 192.168.32.0 0.0.15.255 10.0.0.0 0.0.0.15 access-list 100 deny ip 192.168.16.0 0.0.15.255 10.0.0.0 0.0.0.15 access-list 100 deny ip 192.168.0.0 0.0.15.255 10.0.0.0 0.0.0.15 access-list 100 deny ip any 10.0.0.0 0.0.0.15 access-list 100 permit ip 192.168.16.0 0.0.15.255 any access-list 100 permit ip 192.168.0.0 0.0.15.255 any The 3825 is running the following IOS: (C3825-ADVIPSERVICESK9-M), Version 12.4(23) Does anybody have any recommendations or advice to offer regarding this setup and whether or not it can be accomplished. Thanks in advance, Darin Herteen _________________________________________________________________ Windows Liveā¢: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_042009 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/