Hi, The router was purchased along with the Cisco firewall software license. I figured to implement that? Otherwise I could put ISA on the server out there.
The security concerns are duly noted, and I won't leave the office on public until addressed. That being said; to get them to use their own internet portal direct I would do a: ip route 172.29.30.0 255.255.255.0 1.2.3.4 and do a: no ip route 0.0.0.0 0.0.0.0 is that correct? BTW, and don't laugh, I put in that last route chasing down a CPU utilization issue. The router was typically at 34% utilization. Doing some research and I found that maybe packets to unclaimed addressed were looping between internal network and ISP, and that line would throw them in the bit bucket. So that was way out in left field wasn't it. I did solve the utilization issue; there was an unused ADSL module, when I had that pulled it went down to normal. Chuck's Long Road wrote: > > just a quick comment or two. > > you are writing as if you need to do something on your routers > other than > change the gateway of last resort. > > ip route 0.0.0.0 0.0.0.0 goes where? > > without getting into the intricacies, if you are introducing a > new firewall > into the "europe" domain, your router should have a default > route pointing > to the inside address of the firewall. no other configuration > is required. > the firewall does all the filtering. no access lists. etc. at > least not as > related to firewall stuff. > > your router would redistribute the default route information, > or not, as > needed. > > your hosts would use the particular router as their default > gateway. > > if you are using your router as the firewall, then I have to > ask - what > happens if that device is compromised - do you really want some > hacker to > then be in the middle of your network? > > -- > > www.chuckslongroad.info > like my web site? > take the survey! > > > > ""CTM CTM"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello all, > > > > Continuing my quest to unravel that which was left behind, I > am now at the > > following conclusion: > > > > Europe is on subnet 172.29.30.0 > > U.S. is on subnet 192.168.100.0 > > > > Europe office has a 512k portal to the internet, public IP > gateway being > > 1.2.3.4 (made up of course, is in 217.x.x.x range) > > U.S. public IP is 6.7.8.9 > > However, it has been configured for all Europe internet > traffic to be > routed > > through U.S. office (for purposes of going through a > firewall, which > wasn't > > in place anyways). This has left Europe office with effective > internet > > speeds of > > > Now I want them to use their own internet portal and I > believe I need to > > reconfigure access lists to allow it. > > > > Here are my lists: > > > > ip nat inside source list 101 interface Ethernet0 overload > > ip kerberos source-interface any > > ip classless > > ip route profile > > ip route 0.0.0.0 0.0.0.0 1.2.3.4 > > ip route 172.29.40.0 255.255.255.0 192.168.100.15 > > ip http server > > ! > > access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9 > 0.0.0.31 > > access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 > 0.0.0.255 > > access-list 101 deny ip 172.29.30.0 0.0.0.255 6.7.8.9 > 0.0.0.31 > > access-list 101 deny ip 172.29.30.0 0.0.0.255 192.168.100.0 > 0.0.0.255 > > access-list 101 permit ip 172.29.30.0 0.0.0.255 any > > > > interface Ethernet0 > > description connected to Internet > > ip address 1.2.3.5 255.255.255.248 above public > > gateway > > ip nat outside > > no ip route-cache > > no ip mroute-cache > > half-duplex > > crypto map cm-cryptomap > > > > And here's what I *think* I need to do: > > > > no ip route 0.0.0.0 0.0.0.0 1.2.3.4 > > ip route 172.29.30.0 255.255.255.0 1.2.3.4 > > access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4 > > > > For the last line I would actually need to clear all access > lists ( no > > access-list 100..... is the command?) and then reenter to > preserve the > > order? > > > > Does it sound like I'm close to what I need to do? > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54914&t=54901 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
