06-29-2012 10:41 AM - edited 03-11-2019 04:24 PM
With Julio Carvajal Segura
Welcome to the Cisco Support Community Ask the Expert conversation with Cisco expert Julio Carvajal Segura. This is an opportunity to learn and ask questions on how to make your IOS router devices (Zone-Base Firewall, Intrusion Prevention Systems, & Context-Base Access Control) more secure.
Julio Carvajal Segura is a support engineer at the Cisco Technical Center in Costa Rica. His expertise is in security topics such as Cisco Security Content, intrusion prevention systems, Cisco Adaptive Security Appliances (ASA), Cisco Firewall Services Modules, zone based firewalls, and context-based access control. He has over a year of experience working and resolving customer problems.
Remember to use the rating system to let Julio know if you have received an adequate response.
Julio might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Firewalling forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
07-03-2012 07:02 AM
Hi Julio,
After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?
Thank you
John
07-03-2012 09:44 AM
Hello John,
Hope you are doing great
Now regarding your query if you configure the ZBFW using the SDM you will have the inside, outside and Self-zone configured.
That being the case you will need to allow traffic on port udp 4500 ( NAT T) and 500 ( Isakmp) to the interface where the crypto map is applied ( Self-zone)
I would say that is the problem but just in case remember to allow traffic from inside zone to outside zone from your Local Lan to the Destination Lan. Same thing from outside to inside.
If you want you can post your configuration and I can make the changes to make it work
Regards,
Julio
07-03-2012 01:30 PM
"After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?"
Hi John,
your ACL for CBAC please create two permit lines as shown below, which you have applied on the outside interface, xxx assumed to be your public ip address.
access-list 101 permit udp any host xxx.xxx.xxx.xxx eq isakmp
access-list 101 permit esp any host xxx.xxx.xxx.xxx
Hope that helps.
thanks
Rizwan Rafeek
07-04-2012 07:52 AM
Hi Julio,
My company has recently deployed VCS around an established ASA 5510 service. The Firewall traversal element is working perfecty for H323 calls but SIP seems to fail for no clear reason. The traversal zone is active but yet if I call from a SIP UI registered to Cisco Expressway it cannot call the UI of a device on the inside. I have allowed the VCS control to (through ACLS) to connect to any device on the outside but yet calls still seem to fail. Do you have any pointers to help me resolve this problem please?
Thanks
James
07-04-2012 08:45 AM
Hello James,
This Ask the expert is focus on IOS routers but I still will help on this
So basically the problem is SIP across the ASA.
Do you have already the inspection enabled for the SIP protocol?
Are you using a static one to one NAT translation for the VCS control?
Regards,
07-05-2012 02:33 PM
Hi Julio,
In my recent experience I have used ASA as edge devices. But after seeming some of the features on a router I would like to replace my ASAs with Cisco routers.
I have seen some router which has an built in firewall features based on the firmware.
What would be your thoughts of this, are the new routers and which firmware would you recommend on a router for firewall features together with its routing capabilities?
07-05-2012 03:35 PM
Hello John,
Nice question.
That is correct some of the IOS devices come with a built-in IPS sensor as an example that you could use to secure your network perimeter.
One of the other advantages from my perspective would be that the IOS router will support Routing protocols on a extended way than the ASA.
The router supports Policed Based Routing ( Route based on source Ip addresses)
The router does QoS on an extended way than the ASA,etc.
The thing is that by default the router is not a security device so we will need to configure them on a way that they can protect our network.
If you ask me what do I prefer (If ZBFW or CBAC witch are the 2 Firewall built in options on an IOS router):
I would recommend you 100% ZBFW witch lets you be more flexible with your actions to security policies. ( You can be as granular as you want )
Now regarding firmware you should go to the latest versions as they will provide new features and will fix previous bugs on the code.
ZBFW is supported after 12.4(6)T6 but if you use code 15.1(2) you will have additional features like support to IPV6 or if you go to IOS Release 15.0(1)M you will have intra-zone policies,etc.
Hope I could help,
PD: The ASA for monitoring and troubleshooting is the best option in the market on the security area.
The ASA is capable of having a local-host table, Conn table to correlate events,etc.
Julio
Cisco TAC engineer.
07-09-2012 08:18 AM
Hi Julio,
I wonder how can I state fully inspect RDP sessions using a IOS router? Can you comment on this?
Thanks,
Carlos
07-09-2012 08:39 AM
Hello Carlos,
We need to configure the following in order to make the router able to inspect RDP sessions as this protocol uses a non-standar port.
This can be done using ip port-maps:
ip port-map RDP port tcp 3389
Class-map type inspect RDP
match protocol RDP
policy-map type inspect RDP
class type inspect RDP
inspect
That should make the router firewall able to statefully inspect RDP.
There is another option ( instead of using the Ip port-map command we can make it work doing a match with an ACL:
ip access-list extended RDP
permit tcp any any eq 3389
Class-map type inspect RDP
match access-group name RDP
policy-map type inspect RDP
class type inspect RDP
inspect
Hope I could help,
Julio
07-10-2012 07:13 AM
Hello Julio:
I would like to mount a cluster of two routers running CBAC and SSO to implement the Stateful Failover High Availability concept, as shown in http://www.cisco.com/en/US/prod/collateral/routers/ps5855/white_paper_c11_472858.html.
Actually, the documentation mentions the support for only one inside and one outside interface, and the standby router taking over if either of these interfaces on the active router goes down.
¿ Is it possible to extend this concept for a cluster with at least three interfaces on each router ?
Your kind answer will be greatly appreciated.
Best regards...
Rogelio Alvez
Argentina
07-10-2012 11:56 AM
Hello Rogelio,
¿Is it possible to extend this concept for a cluster with at least three interfaces on each router?
A/ It is possible to have a stateful IOS cluster with firewall enabled. You will be able to monitor three different interfaces using HSRP and SSO.
Now to improve the performance of your firewall you can only apply a inspection policy to an interface ( this could be done by appliying it to the outside interface)
Let me know if this answers your question.
Regards,
Julio
07-10-2012 12:49 PM
Hello Julio,
I tried to configure CBAC on the IOS flash:c2800nm-advipservicesk9-mz.124-3g.bin, after configuring CBAC my internet connection is very slow with no video specially with youtube.
From inside to outside i ahve permited everything permit tcp any any and permit udp any any
07-10-2012 02:07 PM
Hello Clark,
Can you share the CBAC configuration you have, also I would like to see the logs generated by the IOS router.
To be able to generate the logs from the firewall please set the following command:
-ip inspect log drop-pkt
With the logs we will be able to see if this happens because of a deep packet inspection problem, out of order packets,etc.
Regards,
Julio
07-11-2012 05:51 AM
Thank you very much Julio.
Best regards, Rogelio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide