Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
0
Helpful
5
Replies

Cisco IOS firewall commands not working

Go to solution
filippos111
Level 1
Level 1

‎03-09-2013 02:23 AM - edited ‎03-07-2019 12:08 PM

I have a Cisco 2811 router and i want to experiment on the IOS firewall.

The thing is, none of the commands that are proposed in online guides - like ip inspect, ip audit, etc. - seem to be working. I just get "unrecognized command" on a router that is supposed to support such features. I'm wondering if it has something to do with the IOS image.

My show version output is this:

Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.3(11)T9, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Tue 13-Dec-05 08:24 by ccai

ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

NAT uptime is 4 minutes

System returned to ROM by reload at 13:07:12 UTC Sat Mar 9 2013

System image file is "flash:c2800nm-spservicesk9-mz.123-11.T9.bin"

Any ideas?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to filippos111

‎03-09-2013 04:22 AM

Hello Filippos,

Yes, installing a new image is easy - you simply download it into the FLASH via HTTP, FTP, TFTP or SCP and remove the old image (while they both can be present, doing that will double the loading time, as always the first IOS in the FLASH will load, and after it boots up and finds out you wanted a different IOS, it starts loading another IOS).

I strongly recommend backing up the current IOS. You can again use FTP, TFTP or SCP for that.

I suppose you are familiar with the copy command to accomplish this but if you don't feel comfortable using it please let me know.

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to filippos111

‎03-09-2013 06:29 AM

Hi Filippos,

I am glad you have it running.

Regarding CBAC tutorials, this one is actually one of the first I've found when Googled for 'CBAC tutorial':

http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/

The chapter and subchapters can be navigated between using the tree at the bottom of each page.

And of course, the official Cisco documentation about CBAC here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4/sec-data-cbac-fw-12-4-book.pdf

Start on page 23 (it's actually the 35th page of the PDF).

Best regards,

Peter

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-09-2013 02:27 AM

Hello Filippos,

Indeed, it seems that your IOS Feature Set does not contain the IOS Firewall capabilities. You would most probably need Advanced Security or Advanced IP Services, not the SP Services you're running currently.

Do you have an option of changing the IOS? Are you using the router for any specific purposes?

Best regards,

Peter

0 Helpful

Go to solution
filippos111
Level 1
Level 1
In response to Peter Paluch

‎03-09-2013 03:47 AM

Thanks for the reply. I never thought about the feature set.

And no, the router is not currenly used for anyhting. I am thinking about setting it up as a NAT gateway device on a small network and would like to add some simple firewall features. I suppose it's easy to install the appropriate image, though i probably should make a backup of this one as well.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to filippos111

‎03-09-2013 04:22 AM

Hello Filippos,

Yes, installing a new image is easy - you simply download it into the FLASH via HTTP, FTP, TFTP or SCP and remove the old image (while they both can be present, doing that will double the loading time, as always the first IOS in the FLASH will load, and after it boots up and finds out you wanted a different IOS, it starts loading another IOS).

I strongly recommend backing up the current IOS. You can again use FTP, TFTP or SCP for that.

I suppose you are familiar with the copy command to accomplish this but if you don't feel comfortable using it please let me know.

Best regards,

Peter

0 Helpful

Go to solution
filippos111
Level 1
Level 1
In response to Peter Paluch

‎03-09-2013 05:59 AM

Okay, i got it working, it was fairly easy. My IOS is now C2800NM-ADVIPSERVICESK9-M, and of course ip inspect is available. Thanks for the help.

Could you by any chance suggest any CBAC tutorials on-line? I've checked out some in the Cisco website under "Configuration examples and TechNotes" but most are referring to differrent routers or they are too complex for my network.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to filippos111

‎03-09-2013 06:29 AM

Hi Filippos,

I am glad you have it running.

Regarding CBAC tutorials, this one is actually one of the first I've found when Googled for 'CBAC tutorial':

http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/

The chapter and subchapters can be navigated between using the tree at the bottom of each page.

And of course, the official Cisco documentation about CBAC here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/12-4/sec-data-cbac-fw-12-4-book.pdf

Start on page 23 (it's actually the 35th page of the PDF).

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents