Solved: Re: IOS Firewall

allitnils · ‎02-26-2013

Hi all,

it turns out I have a router with a security bundle enabled.

I'm trying to read up on this but the amount of information on the internet is becoming somewhat overwhelming.

The running config of the router looks fairly simple, with a number of standard and extended access lists and some natting rules, and pptp vpn configs..

Can someone advise what exactly I'm able to do with this security bundle, and what it's lacking when comparing it with having an actual ASA?

I'm just studying for a CCNA so my knowledge is very limited, but by the looks of things there's nothing in the router really that's configured that I wouldn't be able to do with the base config.

Are there any rules set up on the router that wouldn't show in the running config, but run in the background of the IOS in relation to the security bundle, or does everything need to be specified in order to be enabled? (that sounded like a really ridiculous question..)

jocamare · ‎02-26-2013

Yeah, forgot to answer that question the first time.

When you get your router it will work as a router, period.

If you want it to go beyond its routing functions you have to manually configure it to do so.

So no, your router doesn't have any firewall or IPS features configured in it.

It just a router with a basic router config.

View solution in original post

jocamare · ‎02-26-2013

Your configuration has no firewall configuration. It was mentioned in the previous post.

View solution in original post

jocamare · ‎02-26-2013

What you can do on the router depends of its version, the hardware and the type of security bundle you have on it.

Routers can perform as security devices and can do incredible stuff, SOMETIMES are better than an ASA.

The only difference between them i would say, is that the ASA is a dedicated security device, routers aren't.

What's what you want to configure on your unit?

allitnils · ‎02-26-2013

hi, thanks for your reply..

I guess I'm trying to figure out whether we're actually using the security bundle of our router and whether it's actually acting as a firewall, or if it's acting as a router that has firewall capabilities......

running ver looks like this:

. I just had a look at show ver and it looks like this:

License Info:

License UDI:

-------------------------------------------------

Device# PID SN

-------------------------------------------------

*0 CISCO1921/K9 FGL164526CA

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 Permanent securityk9

data None None None

Configuration register is 0x2102

- See more at: https://supportforums.cisco.com/message/3867757#3867757

and the running configuration as follows:

Current configuration : 8364 bytes

!

! Last configuration change at 04:17:05 UTC Thu Feb 21 2013 by mmenga

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname vicst-srcenter

!

boot-start-marker

boot system flash c1900-universalk9-mz.SPA.151-4.M4.bin

boot-end-marker

!

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default group radius local

aaa authorization network default if-authenticated

!

aaa session-id common

!

no ipv6 cef

ip source-route

ip cef

!

ip flow-cache timeout active 1

!

multilink bundle-name authenticated

!

async-bootp dns-server xxx.xxx.xxx.xxx

async-bootp nbns-server xxx.xxx.xxx.xxx

vpdn enable

!

vpdn-group PPTP_WIN2KClient

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

l2tp tunnel timeout no-session 15

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1921/K9 sn FGL123456CA

!

username name privilege 15 password 7 xxx

!

interface GigabitEthernet0/0

description WAN

ip address xxx.xxx.xxx.xxx x.x.x.x

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description LAN

ip address

xxx.xxx.xxx.xxx x.x.x.x

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1

description PPTP_VPN

ip unnumbered GigabitEthernet0/0

no ip redirects

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

peer default ip address pool DIAL-IN

compress mppc

ppp encrypt mppe auto passive

ppp authentication ms-chap ms-chap-v2

!

ip local pool DIAL-IN 192.168.1.10 192.168.1.20

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip flow-export source GigabitEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.1.23 9999

!

.....

then there's a whole bunch of extended/standard access lists, some configuration for line vty and console....

for example:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.1.205 21 211.xx.xx.xx 21 extendable

!

scheduler allocate 20000 1000

end

jocamare · ‎02-26-2013

Yeah, forgot to answer that question the first time.

When you get your router it will work as a router, period.

If you want it to go beyond its routing functions you have to manually configure it to do so.

So no, your router doesn't have any firewall or IPS features configured in it.

It just a router with a basic router config.

allitnils · ‎02-26-2013

Hi,

Is this based on my configuration or you mean router configs in general?

I'm trying to work out whether I am specifically covered based on the configs above, being that I have the security package.

From what I can see thee are no firewall specific commands so I'm just confused.

jocamare · ‎02-26-2013

Your configuration has no firewall configuration. It was mentioned in the previous post.