topic IOS Firewall in Network Security

IOS Firewall

allitnils — Tue, 12 Mar 2019 01:06:23 GMT

Hi all,

it turns out I have a router with a security bundle enabled.

I'm trying to read up on this but the amount of information on the internet is becoming somewhat overwhelming.

The running config of the router looks fairly simple, with a number of standard and extended access lists and some natting rules, and pptp vpn configs..

Can someone advise what exactly I'm able to do with this security bundle, and what it's lacking when comparing it with having an actual ASA?

I'm just studying for a CCNA so my knowledge is very limited, but by the looks of things there's nothing in the router really that's configured that I wouldn't be able to do with the base config.

Are there any rules set up on the router that wouldn't show in the running config, but run in the background of the IOS in relation to the security bundle, or does everything need to be specified in order to be enabled? (that sounded like a really ridiculous question..)

IOS Firewall

jocamare — Wed, 27 Feb 2013 05:03:13 GMT

What you can do on the router depends of its version, the hardware and the type of security bundle you have on it.

Routers can perform as security devices and can do incredible stuff, SOMETIMES are better than an ASA.

The only difference between them i would say, is that the ASA is a dedicated security device, routers aren't.

What's what you want to configure on your unit?

Re: IOS Firewall

allitnils — Wed, 27 Feb 2013 05:12:49 GMT

hi, thanks for your reply..

I guess I'm trying to figure out whether we're actually using the security bundle of our router and whether it's actually acting as a firewall, or if it's acting as a router that has firewall capabilities......

running ver looks like this:

. I just had a look at show ver and it looks like this:

License Info:

License UDI:

-------------------------------------------------

Device# PID SN

-------------------------------------------------

*0 CISCO1921/K9 FGL164526CA

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 Permanent securityk9

data None None None

Configuration register is 0x2102

- See more at: https://supportforums.cisco.com/message/3867757#3867757

and the running configuration as follows:

Current configuration : 8364 bytes

! Last configuration change at 04:17:05 UTC Thu Feb 21 2013 by mmenga

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname vicst-srcenter

boot-start-marker

boot system flash c1900-universalk9-mz.SPA.151-4.M4.bin

boot-end-marker

aaa new-model

aaa authentication login default local

aaa authentication ppp default group radius local

aaa authorization network default if-authenticated

aaa session-id common

no ipv6 cef

ip source-route

ip cef

ip flow-cache timeout active 1

multilink bundle-name authenticated

async-bootp dns-server xxx.xxx.xxx.xxx

async-bootp nbns-server xxx.xxx.xxx.xxx

vpdn enable

vpdn-group PPTP_WIN2KClient

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

l2tp tunnel timeout no-session 15

crypto pki token default removal timeout 0

license udi pid CISCO1921/K9 sn FGL123456CA

username name privilege 15 password 7 xxx

interface GigabitEthernet0/0

description WAN

ip address xxx.xxx.xxx.xxx x.x.x.x

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

description LAN

ip address

xxx.xxx.xxx.xxx x.x.x.x

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

interface Virtual-Template1

description PPTP_VPN

ip unnumbered GigabitEthernet0/0

no ip redirects

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

peer default ip address pool DIAL-IN

compress mppc

ppp encrypt mppe auto passive

ppp authentication ms-chap ms-chap-v2

ip local pool DIAL-IN 192.168.1.10 192.168.1.20

ip forward-protocol nd

no ip http server

no ip http secure-server

ip flow-export source GigabitEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.1.23 9999

.....

then there's a whole bunch of extended/standard access lists, some configuration for line vty and console....

for example:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.1.205 21 211.xx.xx.xx 21 extendable

scheduler allocate 20000 1000

end

Re: IOS Firewall

jocamare — Wed, 27 Feb 2013 05:22:13 GMT

Yeah, forgot to answer that question the first time.

When you get your router it will work as a router, period.

If you want it to go beyond its routing functions you have to manually configure it to do so.

So no, your router doesn't have any firewall or IPS features configured in it.

It just a router with a basic router config.

Re: IOS Firewall

allitnils — Wed, 27 Feb 2013 06:04:36 GMT

Hi,

Is this based on my configuration or you mean router configs in general?

I'm trying to work out whether I am specifically covered based on the configs above, being that I have the security package.

From what I can see thee are no firewall specific commands so I'm just confused.

Re: IOS Firewall

jocamare — Wed, 27 Feb 2013 06:24:08 GMT

Your configuration has no firewall configuration. It was mentioned in the previous post.