07-20-2014 05:50 PM - edited 03-04-2019 11:22 PM
I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels. There is no unecrypted access to the internet. Should I still configure the ISR firewall? If so , why?
Solved! Go to Solution.
07-24-2014 05:57 PM
Well if you didn't configure the IOS firewall, then it will not affect
Furthermore, even if you did configure the classes for the FW, if you didnt apply it to the interface it will still not affect
07-20-2014 11:34 PM
If I get your set correctly imagined (haha)
Anyway, it really depends on you:
However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well
for split-tunnel, then configure it in your remote site.
Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly.
Best part of stateless firewall is it can be content based.
EX:
Content filtering however is a subscription license and needs to be registered/enabled
SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html
07-20-2014 11:53 PM
Oops, just did a bit of research and it looks like content filtering on IOS id EOS/EOL
http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/eol_c51-698205.html
But hey, at least the URL filtering feature is still available :D
07-24-2014 02:16 PM
Thanks for reply, but your missing the point.
There is zero access to the internet from Inside. The servers can only talk to the main servers at headquaters via IPsec.
There is only one protocol suite that goes through the router, IPSec.
I will have SSH into the router. That's all there is.
I don't think the ios FW will add anything above the ACL's, yes?
07-24-2014 05:57 PM
Well if you didn't configure the IOS firewall, then it will not affect
Furthermore, even if you did configure the classes for the FW, if you didnt apply it to the interface it will still not affect
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide