Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
5
Helpful
4
Replies

Need some advice for the CBAC Firewall on a Cisco 2851 Router

DAVID RICHWALSKI
Level 1
Level 1

‎04-13-2018 11:28 AM - edited ‎02-21-2020 07:37 AM

So I have this setup right now on the Router, So my question is this the proper way to do it?

Should I also have an ip inspect in ?

And am I putting it on the correct interface ?

 

ip inspect name fw dns
ip inspect name fw ftp
ip inspect name fw http
ip inspect name fw https
ip inspect name fw smtp
ip inspect name fw tcp
ip inspect name fw udp

 

And this is applied to the OUTBOUND Interface

interface GigabitEthernet0/1
 description PrimaryWANDesc_SPECTRUM$FW_OUTSIDE$$ETH-WAN$
 mac-address ***************
 ip address dhcp client-id GigabitEthernet0/1 hostname ******
 ip access-group 101 in
 ip mask-reply
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect fw out
 ip virtual-reassembly in
 duplex auto
 speed auto
 ntp disable
 no cdp enable
 no mop enabled

 

 

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎04-14-2018 03:30 AM

Generally speaking, the inspect has to be applied in the direction of the initiating traffic. If you want to dynamically allow the return-traffic for your user's session, you can apply it inbound on your internal interface or outbound on your external interface.

I always configure it outbound on the outside interface (as you did) because of two reasons:

  1. All outbound traffic will flow through that interface regardless of the source interface.
  2. The inspect-rules for tcp/udp/icmp can be configured with the "router-traffic" keyword. With that also the router-generated traffic to the internet is inspected.

DAVID RICHWALSKI
Level 1
Level 1
In response to Karsten Iwen

‎04-14-2018 09:57 AM

Thanks for the reply.....so I did some reading:

Security Configuration Guide Context-Based Access Control Firewall, Cisco IOS Release 15M&T

 

And I am still kind of lost as to how to accomplish what you have suggested....

 

I mean I gather from what you are saying I have it right...but is there somthing else I should add or change?

0 Helpful

Karsten Iwen
VIP
VIP
In response to DAVID RICHWALSKI

‎04-14-2018 11:05 AM

I would only configure the following:

ip inspect name fw tcp router-traffic
ip inspect name fw udp router-traffic
ip inspect name fw icmp router-traffic
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Karsten Iwen

‎04-16-2018 03:55 AM

5 from me! I usually went for lan interface IN, but it makes sense now to me in regard to the "router-traffic".
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card