cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
0
Helpful
6
Replies

How to acess the IOS firewall feature set

abyewondimu
Level 1
Level 1

A new router was shipped from Ingram 2811 VSEC-CCME/K9. It is supposed to have a firewall feature set and Encryption I don't see all that on the IOS. When I do show version i see flash:c2800nm-advipservicesk9-mz.124-3i.bin". How do I access the security bundle.

1 Accepted Solution

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

You need to configure it. (see CBAC)

http://cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

To check and see if the encryption card is being recognized by IOS.

RTR3825-1#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: aim 0

VPN Module in slot: 0

Product Name: AIM-VPN/SSL-3

Software Serial #: 55AA

Device ID: 001F - revision 0000

Vendor ID: 0000

Revision No: 0x001F0000

VSK revision: 0

Boot version: 255

DPU version: 0

HSP version: 3.4(1) (PRODUCTION)

Time running: 6w1d

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 2000

Maximum SA index: 2000

Maximum Flow index: 4000

Maximum RSA key size: 2048

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Disabled

Location: onboard 0

Product Name: Onboard-VPN

FW Version: 01100200

Time running: 3777585 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0500

Maximum SA index: 0500

Maximum Flow index: 1000

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: B01D79DE

crypto engine state: installed

crypto engine in slot: N/A

HTH

View solution in original post

6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

You need to configure it. (see CBAC)

http://cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

To check and see if the encryption card is being recognized by IOS.

RTR3825-1#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: aim 0

VPN Module in slot: 0

Product Name: AIM-VPN/SSL-3

Software Serial #: 55AA

Device ID: 001F - revision 0000

Vendor ID: 0000

Revision No: 0x001F0000

VSK revision: 0

Boot version: 255

DPU version: 0

HSP version: 3.4(1) (PRODUCTION)

Time running: 6w1d

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 2000

Maximum SA index: 2000

Maximum Flow index: 4000

Maximum RSA key size: 2048

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Disabled

Location: onboard 0

Product Name: Onboard-VPN

FW Version: 01100200

Time running: 3777585 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0500

Maximum SA index: 0500

Maximum Flow index: 1000

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: B01D79DE

crypto engine state: installed

crypto engine in slot: N/A

HTH

This is the output when I run this command

show crypto engine brief?

brief

GantechRtr#show crypto engine brief ?

| Output modifiers

GantechRtr#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: onboard 0

Product Name: Onboard-VPN

Middleware Version: v1.2.0

Firmware Version: v2.2.0

Time running: 10989 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0300

Maximum SA index: 0300

Maximum Flow index: 2400

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: A5EFE61B

crypto engine state: installed

crypto engine in slot: N/A

On the running config I don't see the firewall features such as fixup and encryption key.

The VPN encryption card is there and seen by the router. You need to configure the CBAC firewall, fixups, IPS, etc. The link above should help.

Thank you I will check it out.

Abye

This is the output when I run this command

show crypto engine brief?

brief

GantechRtr#show crypto engine brief ?

| Output modifiers

GantechRtr#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: onboard 0

Product Name: Onboard-VPN

Middleware Version: v1.2.0

Firmware Version: v2.2.0

Time running: 10989 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0300

Maximum SA index: 0300

Maximum Flow index: 2400

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: A5EFE61B

crypto engine state: installed

crypto engine in slot: N/A

On the running config I don't see the firewall features such as fixup and encryption key.

abye

The encryption key is not stored in the config and so you do not see it in the config.

While fixup was the language of the PIX firewall for a long time that has changed and is now "inspect". Your firewall software on the router will have ip inspect commands which you will use as part of configuring the router to perform stateful inspection of traffic as part of the firewall feature set implementation.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: