Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
242
Views
0
Helpful
4
Replies

The inside network is accessable only through IPsec, do I need enable ios FW?

Go to solution
jimmyc_2
Level 1
Level 1

‎07-20-2014 05:50 PM - edited ‎03-04-2019 11:22 PM

I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels.  There is no unecrypted access to the internet.  Should I still configure the ISR firewall?  If so , why?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to jimmyc_2

‎07-24-2014 05:57 PM

Well if you didn't configure the IOS firewall, then it will not affect
Furthermore, even if you did configure the classes for the FW, if you didnt apply it to the interface it will still not affect

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
LJ Gabrillo
Level 5
Level 5

‎07-20-2014 11:34 PM

If I get your set correctly imagined (haha)
Anyway, it really depends on you:

However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well

for split-tunnel, then configure it in your remote site.
Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly. 
Best part of stateless firewall is it can be content based.
 

EX: 

class-map match-any FILTER
  match protocol http host *yahoo* 
  match protocol facebook 
  match protocol youtube
 
#class-map type urlfilter match-any CONTENT_DROP
  #match url category Adult-Mature-Content
 
There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)

Content filtering however is a subscription license and needs to be registered/enabled

SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html

 

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to LJ Gabrillo

‎07-20-2014 11:53 PM

Oops, just did a bit of research and it looks like content filtering on IOS id EOS/EOL

http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/eol_c51-698205.html

 

But hey, at least the URL filtering feature is still available :D

0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1
In response to LJ Gabrillo

‎07-24-2014 02:16 PM

Thanks for reply, but your missing the point.

There is zero access to the internet from Inside.   The servers can only talk to the main servers at headquaters via IPsec.

There is only one protocol suite that goes through the router, IPSec.

I will have SSH into the router.   That's all there is.

I don't think the ios FW will add anything above the ACL's, yes?

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to jimmyc_2

‎07-24-2014 05:57 PM

Well if you didn't configure the IOS firewall, then it will not affect
Furthermore, even if you did configure the classes for the FW, if you didnt apply it to the interface it will still not affect

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card