I just took a new job where I am being asked to use a 2801 router running ADV_SECURITY IOS as a firewall. What is the best pratice to make the router as much like a firewall as possible?
I thought that it was just setting up ACLs and then applying them to the outside interface, but the implicit deny ended up blocking all users' internet sessions!
Basically, I am trying to have the router behave like a fireall, where all traffic originating inside is allowed out, and all responses to that session are allowed back in. I want to block all other access but allow those on the inside network to use internet resources. Are reflexive ACLs the way to go?
I thought this was simple, since most of my experience is with PIX, but using IOS in this way has be stumped. Any links to config examples or articles would be much appreciated.
You can have the same inspect rule applied to both outbound and inbound.
If your acl denies everything but icmp, you should be fine to have the inspect in the outbound direction only.
If you do "show ip inspect " and get nothing back, then you aren't really using the one that's applied now. If you have sessions established, then you are and I'd leave it the way that it is but also apply the inspect outbound on your public interface.