Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1369
Views
6
Helpful
9
Replies

2801 - IOS as a firewall

Go to solution
olhcc
Level 1
Level 1

‎04-21-2009 12:22 PM - edited ‎03-11-2019 08:21 AM

I just took a new job where I am being asked to use a 2801 router running ADV_SECURITY IOS as a firewall. What is the best pratice to make the router as much like a firewall as possible?

I thought that it was just setting up ACLs and then applying them to the outside interface, but the implicit deny ended up blocking all users' internet sessions!

Basically, I am trying to have the router behave like a fireall, where all traffic originating inside is allowed out, and all responses to that session are allowed back in. I want to block all other access but allow those on the inside network to use internet resources. Are reflexive ACLs the way to go?

I thought this was simple, since most of my experience is with PIX, but using IOS in this way has be stumped. Any links to config examples or articles would be much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to olhcc

‎04-22-2009 07:55 AM

You can have the same inspect rule applied to both outbound and inbound.

If your acl denies everything but icmp, you should be fine to have the inspect in the outbound direction only.

If you do "show ip inspect " and get nothing back, then you aren't really using the one that's applied now. If you have sessions established, then you are and I'd leave it the way that it is but also apply the inspect outbound on your public interface.

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
9 Replies 9

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎04-21-2009 01:42 PM

You'll want to look into configuring CBAC. You'll place the inspect in the outbound direction on your public interface. Any traffic that's seen from your inside out creates a session in the session table (much like a PIX would), and it will allow this traffic back in.

Otherwise, if you want to use ACLs, you'll need to put in the last line "permit tcp any any established"

Here's a configuration guide for CBAC:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

HTH,

John

HTH, John *** Please rate all useful posts ***

Go to solution
olhcc
Level 1
Level 1
In response to John Blakley

‎04-22-2009 06:30 AM

John,

Our config already contains multiple inspect statements, such as:

"ip inspect name GW08 tcp"

Most major protcols are listed. Then, on the outside interface Fa0/0, I see "ip inspect GW08 in." Does this mean that CBAC is configured? If so, mut I still use the "tcp any any established" ACL command? Is this a best practice to have this command?

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to olhcc

‎04-22-2009 07:07 AM

It's going in the wrong direction to protect your network :) Change it to say:

ip inspect GW08 out

You won't need the established command if you're using inspects.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
olhcc
Level 1
Level 1
In response to John Blakley

‎04-22-2009 07:22 AM

OK, so I don't wan't the router inspecting packets coming *in* the outside interface? How is it a firewall if it's only inspecting what's going *out* the outside interface? What about making sure that nobody's coming in? Or is that implicit?

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to olhcc

‎04-22-2009 07:27 AM

It's a little different. The sessions are created based on the direction of the traffic. When you put it in the out direction, it inspects the traffic and adds it to the session table to allow the return traffic back in.

Example:

If you have your inspect inspecting HTTP:

ip inspect http

And you have your external access-list denying http traffic:

ip access-list ext BLOCKHTTP

deny tcp any any eq 80

int fa0/0

ip access-group BLOCKHTTP in

ip inspect out

It will only allow http sessions that were created from the inside back in.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
olhcc
Level 1
Level 1
In response to John Blakley

‎04-22-2009 07:47 AM

OK, I see. Can I have the router inspecting both the in and out directions on the outside interface for maximum security?

(Note: The ACL assigned to the outside interface is only explicitly allowing icmp, and since we use NAT, any pinholes to specific hosts for services. All other unallowed ports/protocols are implicitly denied.)

Thank you for taking to the time to respond to all my questions.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to olhcc

‎04-22-2009 07:55 AM

You can have the same inspect rule applied to both outbound and inbound.

If your acl denies everything but icmp, you should be fine to have the inspect in the outbound direction only.

If you do "show ip inspect " and get nothing back, then you aren't really using the one that's applied now. If you have sessions established, then you are and I'd leave it the way that it is but also apply the inspect outbound on your public interface.

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎04-21-2009 01:45 PM

Ben ,

you have a to do a bit reading, indeed it is different from that of PIX/ASA, they are different, have a look at these few links, first have a look at IOS in first link to understand the feature IOS packaging , I think it helps to get a better picture for required IOS firewall & platforms etc..

http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html

General 2800 series - DATA sheets etc.. it will help understand better the 2801 platform... good to have all information you can on the 2801 when it cames to firewall, VPN thoughtputs etc.. to prepare deployment of such.

http://www.cisco.com/en/US/products/ps5854/index.html

Then go to this page for all information about ZBF (Zone Based firewall) IOS

requirements, design guides etc.., when you go to downloads in software advisory

select Firewall Feature set

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd_products_support_series_home.html

Regards

Jorge Rodriguez

Go to solution
olhcc
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-22-2009 06:32 AM

Thank you, Jorge. I was unable to use the third link you provided (503 forbidden).

I am running the 12.4 mainline IOS with the Advanced Security feature set. Are you saying that I need a different feature set or that I need to run the 12.4T IOS family?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card