Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
2
Replies

860VAE-k9 ISR Firewall

tony.elrassy
Level 1
Level 1

‎06-13-2017 06:54 AM - edited ‎03-12-2019 02:29 AM

Hello, 

i am setting a new 860VAE-k9 ISR for a residential camp. is the firewall enabled in it by default or should i configure any rules in order to inspect the packets(basic protection needed)? all the traffic is basically due to browsing, streaming, torrents........

#sh version

Cisco IOS Software, C860 Software (C860VAE-ADVSECURITYK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 21:09 by prod_rel_team

ROM: System Bootstrap, Version 15.1(4r)M2, RELEASE SOFTWARE (fc1)

Talatona-01 uptime is 2 hours, 59 minutes
System returned to ROM by power-on
System image file is "flash:c860vae-advsecurityk9-mz.152-4.M5.bin"

thank in advance

Tony

Labels:
0 Helpful
2 Replies 2

Luke Oxley
Level 1
Level 1

‎06-13-2017 08:51 AM

Hi [@tony.elrassy],
Thanks for your post. By default, the router is not natively a stateful or stateless firewall, we must tell it if we would like it to function anything beyond that. If you are NAT'ing however, this will add a basic layer of security.
Ensuring you have out-of-band connectivity to the device, I'd recommend creating an inspection list for HTTP, HTTPS, ICMP, TCP and UDP and then assigning this in an outbound direction on the outside/WAN/north facing interface(s) of the router, such as the dialer. This will allow egress traffic to be statefully inspected and allowed in return by the implied rules in the access control list we will be creating.
Now create an extended access control list named something like "outside_access_in". Add in any rules to the access control list for inbound services, such as any rules for inbound DNATs or SSH management. By default, this access control list will have an implicit deny at the end. This access control list should then be applied in an inbound direction on the outside/WAN/north facing interface(s) of the router.
Please let me know if you require command by command instructions, though most information you need should be available online.

Kind regards,
Luke Oxley
Please rate helpful posts and mark correct answers.

0 Helpful

tony.elrassy
Level 1
Level 1
In response to Luke Oxley

‎06-13-2017 12:33 PM

okk thanks Luke, i will give  it a try tomorrow and report back.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card