topic Re: 2801 - IOS as a firewall in Network Security

2801 - IOS as a firewall

olhcc — Mon, 11 Mar 2019 15:21:20 GMT

I just took a new job where I am being asked to use a 2801 router running ADV_SECURITY IOS as a firewall. What is the best pratice to make the router as much like a firewall as possible?

I thought that it was just setting up ACLs and then applying them to the outside interface, but the implicit deny ended up blocking all users' internet sessions!

Basically, I am trying to have the router behave like a fireall, where all traffic originating inside is allowed out, and all responses to that session are allowed back in. I want to block all other access but allow those on the inside network to use internet resources. Are reflexive ACLs the way to go?

I thought this was simple, since most of my experience is with PIX, but using IOS in this way has be stumped. Any links to config examples or articles would be much appreciated.

Re: 2801 - IOS as a firewall

John Blakley — Tue, 21 Apr 2009 20:42:54 GMT

You'll want to look into configuring CBAC. You'll place the inspect in the outbound direction on your public interface. Any traffic that's seen from your inside out creates a session in the session table (much like a PIX would), and it will allow this traffic back in.

Otherwise, if you want to use ACLs, you'll need to put in the last line "permit tcp any any established"

Here's a configuration guide for CBAC:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

HTH,

John

Re: 2801 - IOS as a firewall

JORGE RODRIGUEZ — Tue, 21 Apr 2009 20:45:15 GMT

Ben ,

you have a to do a bit reading, indeed it is different from that of PIX/ASA, they are different, have a look at these few links, first have a look at IOS in first link to understand the feature IOS packaging , I think it helps to get a better picture for required IOS firewall & platforms etc..

http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html

General 2800 series - DATA sheets etc.. it will help understand better the 2801 platform... good to have all information you can on the 2801 when it cames to firewall, VPN thoughtputs etc.. to prepare deployment of such.

http://www.cisco.com/en/US/products/ps5854/index.html

Then go to this page for all information about ZBF (Zone Based firewall) IOS

requirements, design guides etc.., when you go to downloads in software advisory

select Firewall Feature set

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd_products_support_series_home.html

Regards

Re: 2801 - IOS as a firewall

olhcc — Wed, 22 Apr 2009 13:30:54 GMT

John,

Our config already contains multiple inspect statements, such as:

"ip inspect name GW08 tcp"

Most major protcols are listed. Then, on the outside interface Fa0/0, I see "ip inspect GW08 in." Does this mean that CBAC is configured? If so, mut I still use the "tcp any any established" ACL command? Is this a best practice to have this command?

Re: 2801 - IOS as a firewall

olhcc — Wed, 22 Apr 2009 13:32:24 GMT

Thank you, Jorge. I was unable to use the third link you provided (503 forbidden).

I am running the 12.4 mainline IOS with the Advanced Security feature set. Are you saying that I need a different feature set or that I need to run the 12.4T IOS family?

Re: 2801 - IOS as a firewall

John Blakley — Wed, 22 Apr 2009 14:07:35 GMT

It's going in the wrong direction to protect your network 🙂 Change it to say:

ip inspect GW08 out

You won't need the established command if you're using inspects.

HTH,

John

Re: 2801 - IOS as a firewall

olhcc — Wed, 22 Apr 2009 14:22:18 GMT

OK, so I don't wan't the router inspecting packets coming *in* the outside interface? How is it a firewall if it's only inspecting what's going *out* the outside interface? What about making sure that nobody's coming in? Or is that implicit?

Re: 2801 - IOS as a firewall

John Blakley — Wed, 22 Apr 2009 14:27:32 GMT

It's a little different. The sessions are created based on the direction of the traffic. When you put it in the out direction, it inspects the traffic and adds it to the session table to allow the return traffic back in.

Example:

If you have your inspect inspecting HTTP:

ip inspect http

And you have your external access-list denying http traffic:

ip access-list ext BLOCKHTTP

deny tcp any any eq 80

int fa0/0

ip access-group BLOCKHTTP in

ip inspect out

It will only allow http sessions that were created from the inside back in.

HTH,

John

Re: 2801 - IOS as a firewall

olhcc — Wed, 22 Apr 2009 14:47:35 GMT

OK, I see. Can I have the router inspecting both the in and out directions on the outside interface for maximum security?

(Note: The ACL assigned to the outside interface is only explicitly allowing icmp, and since we use NAT, any pinholes to specific hosts for services. All other unallowed ports/protocols are implicitly denied.)

Thank you for taking to the time to respond to all my questions.

Re: 2801 - IOS as a firewall

John Blakley — Wed, 22 Apr 2009 14:55:52 GMT

You can have the same inspect rule applied to both outbound and inbound.

If your acl denies everything but icmp, you should be fine to have the inspect in the outbound direction only.

If you do "show ip inspect " and get nothing back, then you aren't really using the one that's applied now. If you have sessions established, then you are and I'd leave it the way that it is but also apply the inspect outbound on your public interface.

John