cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
166
Views
0
Helpful
7
Replies
Highlighted

ZBFW from Cisco 1841 to Cisco 4331

Hello, I have to change a Cisco 1841 and install a Cisco 4331. The problem is I have ip inspect configured in the old router and Cisco 4331 doesn't support it.

I have investigated about it and what I have to use is ZBFW. The configuration in the old router is the following:

ip inspect name TEST udp
ip inspect name TEST tcp
ip inspect name TEST ssh
ip inspect name TEST isakmp
ip inspect name TEST icmp

 

interface FastEthernet0/1
 description ### CONNECTION TO  ###
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip verify unicast reverse-path
 ip inspect TEST out
 duplex auto
 speed auto
 snmp trap ip verify drop-rate
!

 

How can I replace it and test the new one if it works? I hope you could give me a piece of advice.

 

Regards

 

Everyone's tags (4)
7 REPLIES 7
VIP Mentor

Re: ZBFW from Cisco 1841 to Cisco 4331

Which IOS are you running ? The 4331 should support CBAC (ip inspect) if you enable the firewall feature.

 

Type:

 

4331#auto secure

 

and follow the prompts until you see:

 

Configure CBAC Firewall feature? [yes/no]:

Re: ZBFW from Cisco 1841 to Cisco 4331

Georg,

 

By default, the new routers run this IOS file: isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

But I've downloaded one of the recommended IOS version for ISR 4331 in Cisco's web site: isr4300-universalk9.16.06.05.SPA.bin

 

Whatever, I've seen that there is not any IOS version for Cisco 4331 that is compatible with IP inspect: https://learningnetwork.cisco.com/thread/86420 https://community.cisco.com/t5/firewalls/firewall-on-isr-4300-router/td-p/2703291

VIP Mentor

Re: ZBFW from Cisco 1841 to Cisco 4331

Hello,

 

CBAC would be available in the default IOS-XE(s) version that you mentioned (see the link below), since you upgraded to 16.06, the command might not be there.

 

CBAC is different from the ZBF, basically, if you have the Zome Based Firewall configured, you would not need CBAC anymore anyway...

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/sec-usr-cfg-xe-3s-book/sec-autosecure.html

Re: ZBFW from Cisco 1841 to Cisco 4331

Georg, using the default IOS version CBAC is not available. I have tried to do what you had told me running the default IOS version:

Router#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router but it will not make router absolutely secure
from all security attacks ***

All the configuration done as part of AutoSecure will be
shown here. For more details of why and how this configuration
is useful, and any possible side effects, please refer to Cisco
documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

If this device is being managed by a network management station,
AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]: no
Router#

 

Regards

VIP Mentor

Re: ZBFW from Cisco 1841 to Cisco 4331

Hello,

 

one of the options of Auto Secure is to enable CBAC. Follow the prompts (as indicated in the link below) and see if you can enable CBAC:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/sec-usr-cfg-xe-3s-book/sec-autosecure.html#GUID-05935C3E-5310-4995-8F34-671BF8C669FE

Re: ZBFW from Cisco 1841 to Cisco 4331

Georg, I have activated CBAC in the router and when I do it the router writes automatically a configuration. But when it applies the new configuration, it shows an invalid input. This is a part of the console:

ip inspect udp idle-time 1800
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect cuseeme timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect ftp timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect http timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect rcmd timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect realaudio timeout 3600
     ^
% Invalid input detected at '^' marker.

 

 

 

And when I try to do it manually then, this happens:

 

testing(config)#ip ins?
% Unrecognized command
testing(config)#ip ins

VIP Mentor

Re: ZBFW from Cisco 1841 to Cisco 4331

Hello,

 

can you post the output of:

 

show auto secure config

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards