Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
5
Helpful
6
Replies

Inspect firewall on router with securityk9

Go to solution
ibasarif
Level 1
Level 1

‎07-04-2020 11:37 PM

Hi,

I have a question, is it better to put ip inspect firewall in on LAN interface or put it on interface facing internet with ip inspect firewall out?

Thank you 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to ibasarif

‎07-05-2020 11:41 PM - edited ‎07-05-2020 11:43 PM

 

ip inspect FW tcp router-traffic
ip inspect FW udp router-traffic
ip inspect FW icmp router-traffic
!
ip access-list extended OUTSIDE-IN
 permit tcp any host 192.0.2.10 eq 443
 permit udp any host 192.0.2.10 eq 443
 deny ip any any log
!
interface gig 0/1
 description Interface to the Internet
 ip address 192.0.2.10 255.255.255.248
 ip inspect FW out
 ip access-group OUTSIDE-IN in

In this example the outside interface allows TCP and UDP/443 for VPN but the ACL denies the rest. Connections initiated in the outbound direction enter the firewalls state-table and the answer-packets are also allowed in.

View solution in original post

6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎07-05-2020 02:10 AM - edited ‎07-05-2020 02:12 AM

I always put it on the internet-facing interface in the outgoing direction. That gives you the possibility to also inspect router-generated traffic like pinging to the internet for troubleshooting, sending NTP or DNS to the internet or registering the router with DynDNS (and so on):

ip inspect FW tcp router-traffic
ip inspect FW udp router-traffic
ip inspect FW icmp router-traffic

Although much more complex, you should also familiarise yourself the the zone-based-firewall as CBAC (the "ip inspect" based firewall) is not supported any more in recent IOS-versions and platforms.

0 Helpful

Go to solution
ibasarif
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2020 09:07 AM

@Karsten Iwen 

Thank you for your reply, so I put the command on interface facing internet with:

IP inspect firewall out

and create a standard ACL to protect incoming traffic with deny any any

Please confirm if this is the correct settings

 

Thank you

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to ibasarif

‎07-05-2020 11:42 AM

I would directly use an extended ACL instead of a standard ACL. That way you are prepared in case you want to allow incoming connections with more flexibility.

0 Helpful

Go to solution
ibasarif
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2020 11:18 PM

@Karsten Iwen 

 

Thank you, if you don't mind would like to give me a really short and good example for extended ACL that can protect inside network and where to apply it please?

Thank you again

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to ibasarif

‎07-05-2020 11:41 PM - edited ‎07-05-2020 11:43 PM

 

ip inspect FW tcp router-traffic
ip inspect FW udp router-traffic
ip inspect FW icmp router-traffic
!
ip access-list extended OUTSIDE-IN
 permit tcp any host 192.0.2.10 eq 443
 permit udp any host 192.0.2.10 eq 443
 deny ip any any log
!
interface gig 0/1
 description Interface to the Internet
 ip address 192.0.2.10 255.255.255.248
 ip inspect FW out
 ip access-group OUTSIDE-IN in

In this example the outside interface allows TCP and UDP/443 for VPN but the ACL denies the rest. Connections initiated in the outbound direction enter the firewalls state-table and the answer-packets are also allowed in.

Go to solution
ibasarif
Level 1
Level 1
In response to Karsten Iwen

‎07-06-2020 11:19 AM

@Karsten Iwen 

Thank you so much! this is very helpful, much appreciated. 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card