Georg,

By default, the new routers run this IOS file: isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

But I've downloaded one of the recommended IOS version for ISR 4331 in Cisco's web site: isr4300-universalk9.16.06.05.SPA.bin

Whatever, I've seen that there is not any IOS version for Cisco 4331 that is compatible with IP inspect: https://learningnetwork.cisco.com/thread/86420 https://community.cisco.com/t5/firewalls/firewall-on-isr-4300-router/td-p/2703291

Hello,

CBAC would be available in the default IOS-XE(s) version that you mentioned (see the link below), since you upgraded to 16.06, the command might not be there.

CBAC is different from the ZBF, basically, if you have the Zome Based Firewall configured, you would not need CBAC anymore anyway...

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/sec-usr-cfg-xe-3s-book/sec-autosecure.html

Georg, using the default IOS version CBAC is not available. I have tried to do what you had told me running the default IOS version:

Router#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router but it will not make router absolutely secure
from all security attacks ***

All the configuration done as part of AutoSecure will be
shown here. For more details of why and how this configuration
is useful, and any possible side effects, please refer to Cisco
documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

If this device is being managed by a network management station,
AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]: no
Router#

Regards

Hello,

one of the options of Auto Secure is to enable CBAC. Follow the prompts (as indicated in the link below) and see if you can enable CBAC:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/sec-usr-cfg-xe-3s-book/sec-autosecure.html#GUID-05935C3E-5310-4995-8F34-671BF8C669FE

Georg, I have activated CBAC in the router and when I do it the router writes automatically a configuration. But when it applies the new configuration, it shows an invalid input. This is a part of the console:

ip inspect udp idle-time 1800
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect cuseeme timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect ftp timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect http timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect rcmd timeout 3600
     ^
% Invalid input detected at '^' marker.

ip inspect name autosec_inspect realaudio timeout 3600
     ^
% Invalid input detected at '^' marker.

And when I try to do it manually then, this happens:

testing(config)#ip ins?
% Unrecognized command
testing(config)#ip ins

Hello,

can you post the output of:

show auto secure config