04-21-2009 12:22 PM - edited 03-11-2019 08:21 AM
I just took a new job where I am being asked to use a 2801 router running ADV_SECURITY IOS as a firewall. What is the best pratice to make the router as much like a firewall as possible?
I thought that it was just setting up ACLs and then applying them to the outside interface, but the implicit deny ended up blocking all users' internet sessions!
Basically, I am trying to have the router behave like a fireall, where all traffic originating inside is allowed out, and all responses to that session are allowed back in. I want to block all other access but allow those on the inside network to use internet resources. Are reflexive ACLs the way to go?
I thought this was simple, since most of my experience is with PIX, but using IOS in this way has be stumped. Any links to config examples or articles would be much appreciated.
Solved! Go to Solution.
04-22-2009 07:55 AM
You can have the same inspect rule applied to both outbound and inbound.
If your acl denies everything but icmp, you should be fine to have the inspect in the outbound direction only.
If you do "show ip inspect
John
04-21-2009 01:42 PM
You'll want to look into configuring CBAC. You'll place the inspect in the outbound direction on your public interface. Any traffic that's seen from your inside out creates a session in the session table (much like a PIX would), and it will allow this traffic back in.
Otherwise, if you want to use ACLs, you'll need to put in the last line "permit tcp any any established"
Here's a configuration guide for CBAC:
HTH,
John
04-22-2009 06:30 AM
John,
Our config already contains multiple inspect statements, such as:
"ip inspect name GW08 tcp"
Most major protcols are listed. Then, on the outside interface Fa0/0, I see "ip inspect GW08 in." Does this mean that CBAC is configured? If so, mut I still use the "tcp any any established" ACL command? Is this a best practice to have this command?
04-22-2009 07:07 AM
It's going in the wrong direction to protect your network :) Change it to say:
ip inspect GW08 out
You won't need the established command if you're using inspects.
HTH,
John
04-22-2009 07:22 AM
OK, so I don't wan't the router inspecting packets coming *in* the outside interface? How is it a firewall if it's only inspecting what's going *out* the outside interface? What about making sure that nobody's coming in? Or is that implicit?
04-22-2009 07:27 AM
It's a little different. The sessions are created based on the direction of the traffic. When you put it in the out direction, it inspects the traffic and adds it to the session table to allow the return traffic back in.
Example:
If you have your inspect inspecting HTTP:
ip inspect
And you have your external access-list denying http traffic:
ip access-list ext BLOCKHTTP
deny tcp any any eq 80
int fa0/0
ip access-group BLOCKHTTP in
ip inspect
It will only allow http sessions that were created from the inside back in.
HTH,
John
04-22-2009 07:47 AM
OK, I see. Can I have the router inspecting both the in and out directions on the outside interface for maximum security?
(Note: The ACL assigned to the outside interface is only explicitly allowing icmp, and since we use NAT, any pinholes to specific hosts for services. All other unallowed ports/protocols are implicitly denied.)
Thank you for taking to the time to respond to all my questions.
04-22-2009 07:55 AM
You can have the same inspect rule applied to both outbound and inbound.
If your acl denies everything but icmp, you should be fine to have the inspect in the outbound direction only.
If you do "show ip inspect
John
04-21-2009 01:45 PM
Ben ,
you have a to do a bit reading, indeed it is different from that of PIX/ASA, they are different, have a look at these few links, first have a look at IOS in first link to understand the feature IOS packaging , I think it helps to get a better picture for required IOS firewall & platforms etc..
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html
General 2800 series - DATA sheets etc.. it will help understand better the 2801 platform... good to have all information you can on the 2801 when it cames to firewall, VPN thoughtputs etc.. to prepare deployment of such.
http://www.cisco.com/en/US/products/ps5854/index.html
Then go to this page for all information about ZBF (Zone Based firewall) IOS
requirements, design guides etc.., when you go to downloads in software advisory
select Firewall Feature set
http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd_products_support_series_home.html
Regards
04-22-2009 06:32 AM
Thank you, Jorge. I was unable to use the third link you provided (503 forbidden).
I am running the 12.4 mainline IOS with the Advanced Security feature set. Are you saying that I need a different feature set or that I need to run the 12.4T IOS family?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide