I work in healthcare and our rules on access through our WAN/Internet connections are quite strict. We do however have one issue i've not been able to work around.
We are using Cisco ISR's (this example a 2851) all with enabled firewall and IPS.
for outbound traffic, I can create a rule on the access list and traffic is permitted out, and the return traffic is permitted inbound.
However if i create a rule for inbound traffic, the ISR is not creating the dynmaic rule for the return traffic, and i'm having to manually a matching outbound for every inbound connection. Is there any way around this other than having permit ip any any as the last rule, which i'm not permitted to do.
We need a little more information to assist here. IOS FW on ISRs can use either the historical inspect statements where you apply the inspect to an interface, or the new zone-based FW.
If you are applying the inspection to an interface, for inbound traffic, you would need to inspect inbound on the outside interface. For outbound traffic you would inspect outbound on that same interface.
This provides you with DoS protection for the inbound traffic, as well as opening up the ACLs to allow the reply traffic (from the inbound connections - assuming you have an ACL applied to your inside interface).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :