cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
216
Views
0
Helpful
3
Replies
Beginner

Question about capability of 2921 running 15.0(1)M5 with security and ipbase

I have a 2921 acting as the HUB of a DMVPN deployment.  I would like to apply an inbound acl to the tunnel interface to only allow the minimum ports necessary for the remote sites to communicate back to the data center.  This includes Active Directory traffic.  I'm very green with security, especially on this 2921.  I've done limited research on getting AD traffic through a firewall and my understanding of this is that the host communicates with the AD controller over a well-known port (mapper service) which then instructs the client to use a randomly generated port in a very large range for future communication with the AD controller.  This would then mean that the 2921 would need to be able to inspect this first traffic flow and then dynamically open up just the minimum  port(s) required to allow the host to talk to the AD controller.  Is my 2921 with the version/feature set its running capable of doing this?  If not, can it be made capable to do this with additional hw and/or licensing?

Thanks,

Steven                

3 REPLIES 3
Highlighted

Question about capability of 2921 running 15.0(1)M5 with securit

Hello,

You mean to be able to inpect trafffic and open the required pinholes?

It is, you can run the ZBFW in this box with not a problem at all,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Question about capability of 2921 running 15.0(1)M5 with securit

I've been playing around with the "ip inspect" command and I've got things working partially.  There's a large list of well-known protocols available with the ip inspect command.  However, I cannot find the one for endpoint mapper (tcp/135).  How do I define endpoint mapper in an ip inspect profile?

Highlighted

Question about capability of 2921 running 15.0(1)M5 with securit

Hello,

So running CBAC.

Here is how to create a port-map definition to inspect traffic:

The example will use RDP:

ip port-map user-rdp3389 port tcp 3389

Then you could match the traffic and inspected!

In your case just use tcp 135

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC