Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

How to acess the IOS firewall feature set

A new router was shipped from Ingram 2811 VSEC-CCME/K9. It is supposed to have a firewall feature set and Encryption I don't see all that on the IOS. When I do show version i see flash:c2800nm-advipservicesk9-mz.124-3i.bin". How do I access the security bundle.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to acess the IOS firewall feature set

You need to configure it. (see CBAC)

http://cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

To check and see if the encryption card is being recognized by IOS.

RTR3825-1#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: aim 0

VPN Module in slot: 0

Product Name: AIM-VPN/SSL-3

Software Serial #: 55AA

Device ID: 001F - revision 0000

Vendor ID: 0000

Revision No: 0x001F0000

VSK revision: 0

Boot version: 255

DPU version: 0

HSP version: 3.4(1) (PRODUCTION)

Time running: 6w1d

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 2000

Maximum SA index: 2000

Maximum Flow index: 4000

Maximum RSA key size: 2048

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Disabled

Location: onboard 0

Product Name: Onboard-VPN

FW Version: 01100200

Time running: 3777585 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0500

Maximum SA index: 0500

Maximum Flow index: 1000

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: B01D79DE

crypto engine state: installed

crypto engine in slot: N/A

HTH

6 REPLIES

Re: How to acess the IOS firewall feature set

You need to configure it. (see CBAC)

http://cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

To check and see if the encryption card is being recognized by IOS.

RTR3825-1#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: aim 0

VPN Module in slot: 0

Product Name: AIM-VPN/SSL-3

Software Serial #: 55AA

Device ID: 001F - revision 0000

Vendor ID: 0000

Revision No: 0x001F0000

VSK revision: 0

Boot version: 255

DPU version: 0

HSP version: 3.4(1) (PRODUCTION)

Time running: 6w1d

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 2000

Maximum SA index: 2000

Maximum Flow index: 4000

Maximum RSA key size: 2048

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Disabled

Location: onboard 0

Product Name: Onboard-VPN

FW Version: 01100200

Time running: 3777585 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0500

Maximum SA index: 0500

Maximum Flow index: 1000

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: B01D79DE

crypto engine state: installed

crypto engine in slot: N/A

HTH

New Member

Re: How to acess the IOS firewall feature set

This is the output when I run this command

show crypto engine brief?

brief

GantechRtr#show crypto engine brief ?

| Output modifiers

GantechRtr#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: onboard 0

Product Name: Onboard-VPN

Middleware Version: v1.2.0

Firmware Version: v2.2.0

Time running: 10989 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0300

Maximum SA index: 0300

Maximum Flow index: 2400

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: A5EFE61B

crypto engine state: installed

crypto engine in slot: N/A

On the running config I don't see the firewall features such as fixup and encryption key.

Re: How to acess the IOS firewall feature set

The VPN encryption card is there and seen by the router. You need to configure the CBAC firewall, fixups, IPS, etc. The link above should help.

New Member

Re: How to acess the IOS firewall feature set

Thank you I will check it out.

Abye

New Member

Re: How to acess the IOS firewall feature set

This is the output when I run this command

show crypto engine brief?

brief

GantechRtr#show crypto engine brief ?

| Output modifiers

GantechRtr#show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: onboard 0

Product Name: Onboard-VPN

Middleware Version: v1.2.0

Firmware Version: v2.2.0

Time running: 10989 seconds

Compression: Yes

DES: Yes

3 DES: Yes

AES CBC: Yes (128,192,256)

AES CNTR: No

Maximum buffer length: 4096

Maximum DH index: 0300

Maximum SA index: 0300

Maximum Flow index: 2400

Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: A5EFE61B

crypto engine state: installed

crypto engine in slot: N/A

On the running config I don't see the firewall features such as fixup and encryption key.

Hall of Fame Super Silver

Re: How to acess the IOS firewall feature set

abye

The encryption key is not stored in the config and so you do not see it in the config.

While fixup was the language of the PIX firewall for a long time that has changed and is now "inspect". Your firewall software on the router will have ip inspect commands which you will use as part of configuring the router to perform stateful inspection of traffic as part of the firewall feature set implementation.

HTH

Rick

184
Views
0
Helpful
6
Replies
CreatePlease to create content