Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2057
Views
0
Helpful
6
Replies

Deploying IOS firewall feature set

Go to solution
anasubra_2
Level 1
Level 1

‎07-18-2008 05:29 AM - edited ‎03-09-2019 09:07 PM

Hi All,

We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.

Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?

We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?

Any help would be really appreciated

Thanks

Regards

Anantha Subramanian Natarajan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
husycisco
Level 7
Level 7

‎07-18-2008 09:58 AM

Hello Anantha,

"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.

"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"

If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.

Regards

View solution in original post

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to anasubra_2

‎07-18-2008 10:38 AM

Anantha,

"we should be able to leave the other interface undefined"

Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.

Regards

View solution in original post

0 Helpful
6 Replies 6

Go to solution
husycisco
Level 7
Level 7

‎07-18-2008 09:58 AM

Hello Anantha,

"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.

"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"

If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.

Regards

0 Helpful

Go to solution
anasubra_2
Level 1
Level 1
In response to husycisco

‎07-18-2008 10:07 AM

Hi,

Thank you very much for the answer ....

The background of this deployment is for one of our customers,they just want to enable to CBAC and day one wants to permit all traffic in either directions. Later seems they would be managing the CBAC in such a way that,it could provide effectively does statefull firewall inspection as you were mentioning...........

Yes we planning to set the ip inspect on the outbound direction of the untruseted interface and so as per my understanding from your cmment,we should be able to leave the other interface undefined.If this understanding not correct,please let us know or else thank you very much for the help

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to anasubra_2

‎07-18-2008 10:38 AM

Anantha,

"we should be able to leave the other interface undefined"

Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.

Regards

0 Helpful

Go to solution
anasubra_2
Level 1
Level 1
In response to husycisco

‎07-18-2008 01:01 PM

Thank you very much

0 Helpful

Go to solution
husycisco
Level 7
Level 7
In response to anasubra_2

‎07-18-2008 03:43 PM

You are welcome and thanks for rating :)

0 Helpful

Go to solution
anasubra_2
Level 1
Level 1
In response to husycisco

‎07-18-2008 08:09 PM

Thank you and the response was really helpful

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents