07-18-2008 05:29 AM - edited 03-09-2019 09:07 PM
Hi All,
We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.
Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?
We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajan
Solved! Go to Solution.
07-18-2008 09:58 AM
Hello Anantha,
"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
Regards
07-18-2008 10:38 AM
Anantha,
"we should be able to leave the other interface undefined"
Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.
Regards
07-18-2008 09:58 AM
Hello Anantha,
"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
Regards
07-18-2008 10:07 AM
Hi,
Thank you very much for the answer ....
The background of this deployment is for one of our customers,they just want to enable to CBAC and day one wants to permit all traffic in either directions. Later seems they would be managing the CBAC in such a way that,it could provide effectively does statefull firewall inspection as you were mentioning...........
Yes we planning to set the ip inspect on the outbound direction of the untruseted interface and so as per my understanding from your cmment,we should be able to leave the other interface undefined.If this understanding not correct,please let us know or else thank you very much for the help
Regards
Anantha Subramanian Natarajan
07-18-2008 10:38 AM
Anantha,
"we should be able to leave the other interface undefined"
Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.
Regards
07-18-2008 01:01 PM
Thank you very much
07-18-2008 03:43 PM
You are welcome and thanks for rating :)
07-18-2008 08:09 PM
Thank you and the response was really helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide