Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

The inside network is accessable only through IPsec, do I need enable ios FW?

I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels.  There is no unecrypted access to the internet.  Should I still configure the ISR firewall?  If so , why?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Well if you didn't configure

Well if you didn't configure the IOS firewall, then it will not affect
Furthermore, even if you did configure the classes for the FW, if you didnt apply it to the interface it will still not affect

 

4 REPLIES
Silver

If I get your set correctly

If I get your set correctly imagined (haha)
Anyway, it really depends on you:

However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well

for split-tunnel, then configure it in your remote site.
Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly. 
Best part of stateless firewall is it can be content based.
 

EX: 

class-map match-any FILTER
  match protocol http host *yahoo* 
  match protocol facebook 
  match protocol youtube
 
#class-map type urlfilter match-any CONTENT_DROP
  #match url category Adult-Mature-Content
 
There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)

Content filtering however is a subscription license and needs to be registered/enabled

SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html

 

Silver

Oops, just did a bit of

Oops, just did a bit of research and it looks like content filtering on IOS id EOS/EOL

http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/eol_c51-698205.html

 

But hey, at least the URL filtering feature is still available :D

New Member

Thanks for reply, but your

Thanks for reply, but your missing the point.

There is zero access to the internet from Inside.   The servers can only talk to the main servers at headquaters via IPsec.

There is only one protocol suite that goes through the router, IPSec.

I will have SSH into the router.   That's all there is.

I don't think the ios FW will add anything above the ACL's, yes?

Silver

Well if you didn't configure

Well if you didn't configure the IOS firewall, then it will not affect
Furthermore, even if you did configure the classes for the FW, if you didnt apply it to the interface it will still not affect

 

37
Views
0
Helpful
4
Replies